diff --git a/.buildkite/pipeline.serverless.yml b/.buildkite/pipeline.serverless.yml index f824c894ff4..bb5e56c6f88 100644 --- a/.buildkite/pipeline.serverless.yml +++ b/.buildkite/pipeline.serverless.yml @@ -6,7 +6,7 @@ env: DOCKER_COMPOSE_VERSION: "v2.24.1" DOCKER_VERSION: "false" # not required to set since system tests are not running yet KIND_VERSION: 'v0.20.0' - K8S_VERSION: 'v1.30.0' + K8S_VERSION: 'v1.31.0' YQ_VERSION: 'v4.35.2' IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204" GH_CLI_VERSION: "2.29.0" diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index c78cebe476d..5966c463c09 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -5,7 +5,7 @@ env: DOCKER_COMPOSE_VERSION: "v2.24.1" DOCKER_VERSION: "26.1.2" KIND_VERSION: 'v0.20.0' - K8S_VERSION: 'v1.30.0' + K8S_VERSION: 'v1.31.0' YQ_VERSION: 'v4.35.2' JQ_VERSION: '1.7' GH_CLI_VERSION: "2.29.0" diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 66fe666b74b..75ede3f363c 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -206,6 +206,7 @@ /packages/gcp/data_stream/vpcflow @elastic/security-service-integrations /packages/gcp_metrics @elastic/obs-ds-hosted-services /packages/gcp_pubsub @elastic/security-service-integrations +/packages/gigamon @elastic/security-service-integrations /packages/github @elastic/security-service-integrations /packages/gitlab @elastic/security-service-integrations /packages/golang @elastic/obs-infraobs-integrations diff --git a/.github/workflows/bump-elastic-stack-version.yml b/.github/workflows/bump-elastic-stack-version.yml index 2eb1217a55a..778b6f5ce01 100644 --- a/.github/workflows/bump-elastic-stack-version.yml +++ b/.github/workflows/bump-elastic-stack-version.yml @@ -25,7 +25,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Updatecli in the runner - uses: updatecli/updatecli-action@a0c478c868a71d3e239a65714de69450aa1ee2c6 #v2.65.0 + uses: updatecli/updatecli-action@d0950ebbe80f4f80c3392b288d6a218fae872f69 #v2.66.0 - name: Select diff action if: ${{ github.event_name == 'pull_request' }} diff --git a/packages/abnormal_security/_dev/deploy/docker/files/config.yml b/packages/abnormal_security/_dev/deploy/docker/files/config.yml index 0a4fa2adf7e..bb36aba3448 100644 --- a/packages/abnormal_security/_dev/deploy/docker/files/config.yml +++ b/packages/abnormal_security/_dev/deploy/docker/files/config.yml @@ -323,23 +323,7 @@ rules: Content-Type: - 'application/json' body: |- - {"threats":[{"threatId":"284712ab-6d8b-47b3-89d3-a314efef79e2"}],"pageNumber":2,"nextPageNumber":3} - - path: /v1/threats - methods: ['GET'] - query_params: - filter: "{filter:.*}" - pageNumber: 3 - pageSize: 1 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {"threats":[],"pageNumber":3,"nextPageNumber":4} + {"threats":[{"threatId":"284712ab-6d8b-47b3-89d3-a314efef79e2"}]} - path: /v1/threats/184712ab-6d8b-47b3-89d3-a314efef79e2 methods: ['GET'] query_params: @@ -402,26 +386,9 @@ rules: "https://www.example.com/" ] } - ], - "pageNumber": 1, - "nextPageNumber": 2 + ] } `}} - - path: /v1/threats/184712ab-6d8b-47b3-89d3-a314efef79e2 - methods: ['GET'] - query_params: - pageNumber: 2 - pageSize: 1 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {"threatId":"184712ab-6d8b-47b3-89d3-a314efef79e2","messages":[],"pageNumber":2,"nextPageNumber":3} - path: /v1/threats/284712ab-6d8b-47b3-89d3-a314efef79e2 methods: ['GET'] query_params: @@ -483,23 +450,6 @@ rules: "https://www.example.com/" ] } - ], - "pageNumber": 1, - "nextPageNumber": 2 + ] } `}} - - path: /v1/threats/284712ab-6d8b-47b3-89d3-a314efef79e2 - methods: ['GET'] - query_params: - pageNumber: 2 - pageSize: 1 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - 'application/json' - body: |- - {"threatId":"284712ab-6d8b-47b3-89d3-a314efef79e2","messages":[],"pageNumber":2,"nextPageNumber":3} diff --git a/packages/abnormal_security/changelog.yml b/packages/abnormal_security/changelog.yml index 69dce3904e5..81f78d39d0f 100644 --- a/packages/abnormal_security/changelog.yml +++ b/packages/abnormal_security/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.1" + changes: + - description: Update pagination termination condition in threat data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/10860 - version: "0.1.0" changes: - description: Initial release. diff --git a/packages/abnormal_security/data_stream/threat/agent/stream/cel.yml.hbs b/packages/abnormal_security/data_stream/threat/agent/stream/cel.yml.hbs index 26ca269a94a..874368bfe1f 100644 --- a/packages/abnormal_security/data_stream/threat/agent/stream/cel.yml.hbs +++ b/packages/abnormal_security/data_stream/threat/agent/stream/cel.yml.hbs @@ -50,7 +50,7 @@ program: | } }).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, { - "worklist": body.threats.map(e, e.threatId), + "worklist": body, "next": 0, }) : @@ -73,9 +73,9 @@ program: | )) ).as(state, state.with( !has(state.worklist) ? state : // Exit early due to GET failure. - state.next < size(state.worklist) ? + has(state.worklist.threats) && size(state.worklist.threats) > 0 ? request("GET", - state.url.trim_right("/") + "/v1/threats/" + string(state.worklist[state.next]) + "?" + { + state.url.trim_right("/") + "/v1/threats/" + string(state.worklist.threats[state.next].threatId) + "?" + { "pageSize": [string(state.page_size)], "pageNumber": [string(state.child_next_page)] }.format_query() @@ -85,30 +85,25 @@ program: | } }).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body,{ - "events": ( - size(body.messages) > 0 ? - body.messages.map(e,{ - "message": e.encode_json(), - }) - : - [{"message":"retry"}] - ), + "events": body.messages.map(e,{ + "message": e.encode_json(), + }), "cursor": { "last_timestamp": state.end_time }, - "worklist": int(state.next) + 1 < size(state.worklist) || size(body.messages) > 0 ? state.worklist : [], - "child_next_page": size(body.messages) > 0 ? int(state.child_next_page) + 1 : 1, + "worklist": int(state.next) + 1 < size(state.worklist.threats) || has(body.nextPageNumber) ? state.worklist : {}, + "child_next_page": has(body.nextPageNumber) ? body.nextPageNumber : 1, "next": ( - size(body.messages) > 0 ? + has(body.nextPageNumber) ? state.next : - int(state.next) + 1 < size(state.worklist) ? + int(state.next) + 1 < size(state.worklist.threats) ? int(state.next) + 1 : 0 ), - "next_page": int(state.next) + 1 < size(state.worklist) || size(body.messages) > 0 ? state.next_page : int(state.next_page) + 1, - "want_more": true, + "next_page": int(state.next) + 1 < size(state.worklist.threats) || has(body.nextPageNumber) ? state.next_page : has(state.worklist.nextPageNumber) ? state.worklist.nextPageNumber : 1, + "want_more": int(state.next) + 1 < size(state.worklist.threats) || has(body.nextPageNumber) || has(state.worklist.nextPageNumber), }) : { diff --git a/packages/abnormal_security/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/abnormal_security/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 97f21605a99..6c8ed420791 100644 --- a/packages/abnormal_security/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/abnormal_security/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -9,9 +9,6 @@ processors: tag: data_collection_error if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null message: error message set and no data to process. - - drop: - if: ctx.message == 'retry' - tag: drop_retry_events - rename: field: message tag: rename_message_to_event_original diff --git a/packages/abnormal_security/data_stream/threat/sample_event.json b/packages/abnormal_security/data_stream/threat/sample_event.json index ef29cc09849..92afae71478 100644 --- a/packages/abnormal_security/data_stream/threat/sample_event.json +++ b/packages/abnormal_security/data_stream/threat/sample_event.json @@ -45,22 +45,22 @@ } }, "agent": { - "ephemeral_id": "3cfaa9dc-bca8-4e29-a807-77b68709b731", - "id": "7aaba523-565c-4597-bc42-59135436336b", - "name": "docker-fleet-agent", + "ephemeral_id": "b66f399f-ba1c-4fe5-af82-9ca7a0204545", + "id": "e2eadaf0-613d-41d9-913c-96125e06487a", + "name": "elastic-agent-55334", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "abnormal_security.threat", - "namespace": "37330", + "namespace": "45319", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "7aaba523-565c-4597-bc42-59135436336b", + "id": "e2eadaf0-613d-41d9-913c-96125e06487a", "snapshot": false, "version": "8.13.0" }, @@ -88,7 +88,7 @@ ], "dataset": "abnormal_security.threat", "id": "2260288475997441000", - "ingested": "2024-08-08T06:53:48Z", + "ingested": "2024-08-23T05:40:07Z", "kind": "enrichment", "original": "{\"abxMessageId\":2260288475997441000,\"abxPortalUrl\":\"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654\",\"attachmentCount\":0,\"attachmentNames\":[],\"attackStrategy\":\"Unknown Sender\",\"attackType\":\"Spam\",\"attackVector\":\"Link\",\"attackedParty\":\"Employee (Other)\",\"autoRemediated\":true,\"ccEmails\":[],\"fromAddress\":\"john@example.com\",\"fromName\":\"john\",\"impersonatedParty\":\"None / Others\",\"internetMessageId\":\"\\u003cAZz8NUMEST-qmuz77_koic@example\\u003e\",\"isRead\":false,\"postRemediated\":false,\"receivedTime\":\"2024-07-17T23:25:38Z\",\"recipientAddress\":\"bob@example.com\",\"remediationStatus\":\"Auto-Remediated\",\"remediationTimestamp\":\"2024-07-17T23:25:45.73564Z\",\"replyToEmails\":[],\"returnPath\":\"bounce-bob_H181S7GUCF@example.com\",\"senderDomain\":\"example.com\",\"senderIpAddress\":\"81.2.69.142\",\"sentTime\":\"2024-07-17T23:25:29Z\",\"subject\":\"YoU.have.𝗪𝟬0𝗡𝗡 a K0baIt 215-piece_ToooI_Set_Noo0wW..#GBOB\",\"summaryInsights\":[\"Abnormal Email Body HTML\",\"Invisible characters found in Email\",\"Suspicious Link\",\"Unusual Sender\",\"Unusual Sender Domain\"],\"threatId\":\"bf255f2d-a2ad-3f50-5075-fdcc24308bbd\",\"toAddresses\":[\"bob@example.com\"],\"urlCount\":1,\"urls\":[\"https://www.example.com/\"]}", "reference": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654", diff --git a/packages/abnormal_security/docs/README.md b/packages/abnormal_security/docs/README.md index 05bf7e52517..fe115e96cc6 100644 --- a/packages/abnormal_security/docs/README.md +++ b/packages/abnormal_security/docs/README.md @@ -498,22 +498,22 @@ An example event for `threat` looks as following: } }, "agent": { - "ephemeral_id": "3cfaa9dc-bca8-4e29-a807-77b68709b731", - "id": "7aaba523-565c-4597-bc42-59135436336b", - "name": "docker-fleet-agent", + "ephemeral_id": "b66f399f-ba1c-4fe5-af82-9ca7a0204545", + "id": "e2eadaf0-613d-41d9-913c-96125e06487a", + "name": "elastic-agent-55334", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "abnormal_security.threat", - "namespace": "37330", + "namespace": "45319", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "7aaba523-565c-4597-bc42-59135436336b", + "id": "e2eadaf0-613d-41d9-913c-96125e06487a", "snapshot": false, "version": "8.13.0" }, @@ -541,7 +541,7 @@ An example event for `threat` looks as following: ], "dataset": "abnormal_security.threat", "id": "2260288475997441000", - "ingested": "2024-08-08T06:53:48Z", + "ingested": "2024-08-23T05:40:07Z", "kind": "enrichment", "original": "{\"abxMessageId\":2260288475997441000,\"abxPortalUrl\":\"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654\",\"attachmentCount\":0,\"attachmentNames\":[],\"attackStrategy\":\"Unknown Sender\",\"attackType\":\"Spam\",\"attackVector\":\"Link\",\"attackedParty\":\"Employee (Other)\",\"autoRemediated\":true,\"ccEmails\":[],\"fromAddress\":\"john@example.com\",\"fromName\":\"john\",\"impersonatedParty\":\"None / Others\",\"internetMessageId\":\"\\u003cAZz8NUMEST-qmuz77_koic@example\\u003e\",\"isRead\":false,\"postRemediated\":false,\"receivedTime\":\"2024-07-17T23:25:38Z\",\"recipientAddress\":\"bob@example.com\",\"remediationStatus\":\"Auto-Remediated\",\"remediationTimestamp\":\"2024-07-17T23:25:45.73564Z\",\"replyToEmails\":[],\"returnPath\":\"bounce-bob_H181S7GUCF@example.com\",\"senderDomain\":\"example.com\",\"senderIpAddress\":\"81.2.69.142\",\"sentTime\":\"2024-07-17T23:25:29Z\",\"subject\":\"YoU.have.𝗪𝟬0𝗡𝗡 a K0baIt 215-piece_ToooI_Set_Noo0wW..#GBOB\",\"summaryInsights\":[\"Abnormal Email Body HTML\",\"Invisible characters found in Email\",\"Suspicious Link\",\"Unusual Sender\",\"Unusual Sender Domain\"],\"threatId\":\"bf255f2d-a2ad-3f50-5075-fdcc24308bbd\",\"toAddresses\":[\"bob@example.com\"],\"urlCount\":1,\"urls\":[\"https://www.example.com/\"]}", "reference": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654", diff --git a/packages/abnormal_security/manifest.yml b/packages/abnormal_security/manifest.yml index bb86b81cabb..a6fd42b66b5 100644 --- a/packages/abnormal_security/manifest.yml +++ b/packages/abnormal_security/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.1 name: abnormal_security title: Abnormal Security -version: 0.1.0 +version: 0.1.1 description: Collect logs from Abnormal Security with Elastic Agent. type: integration categories: diff --git a/packages/amazon_security_lake/_dev/build/docs/README.md b/packages/amazon_security_lake/_dev/build/docs/README.md index e1b287ae35c..4a685d80987 100644 --- a/packages/amazon_security_lake/_dev/build/docs/README.md +++ b/packages/amazon_security_lake/_dev/build/docs/README.md @@ -4,8 +4,9 @@ This [Amazon Security Lake](https://aws.amazon.com/security-lake/) integration h Security Lake automates the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources. -The Amazon Security Lake integration currently supports only one mode of log collection: +The Amazon Security Lake integration can be used in two different modes to collect data: - AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files. +- AWS S3 SQS mode: Amazon Security Lake writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode. ## Compatibility @@ -37,6 +38,7 @@ The Amazon Security Lake integration collects logs from both [Third-party servic - For **Log and event sources**, choose which sources the subscriber is authorized to consume. - For **Data access method**, choose **S3** to set up data access for the subscriber. - For **Subscriber credentials**, provide the subscriber's **AWS account ID** and **external ID**. + - For **Notification details**, select **SQS queue**. - Choose Create. 3. Above mentioned steps will create and provide the required details such as IAM roles/AWS role ID, external ID and queue URL to configure AWS Security Lake Integration. @@ -48,11 +50,18 @@ The Amazon Security Lake integration collects logs from both [Third-party servic 3. Click on the "Amazon Security Lake" integration from the search results. 4. Click on the Add Amazon Security Lake Integration button to add the integration. ![Home Page](../img/home_page.png) -5. The integration currently only supports collecting logs via AWS S3. -6. While adding the integration, you have to configure the following details: - - bucket arn +5. By default collect logs via S3 Bucket toggle will be off and collect logs for AWS SQS. + - queue url + ![Queue URL](../img/queue_url.png) + - collect logs via S3 Bucket toggled off - role ARN - external id + ![Role ARN and External ID](../img/role_arn_and_external_id.png) + +6. If you want to collect logs via AWS S3, then you have to put the following details: + - bucket arn + - role ARN + - external id **NOTE**: diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index 9b7ba194261..b320a9cdbe9 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.0" + changes: + - description: Re-added SQS notification settings which were removed due to a prior update error. + type: bugfix + link: https://github.com/elastic/integrations/pull/10854 - version: "1.4.1" changes: - description: "Remove confusing documentation remaining from previous change." diff --git a/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs b/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs index 67d1ad222d6..391daa8e96a 100644 --- a/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs +++ b/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs @@ -1,3 +1,4 @@ +{{#if collect_s3_logs}} {{#if bucket_arn}} bucket_arn: {{bucket_arn}} @@ -11,10 +12,32 @@ bucket_list_interval: {{interval}} {{#if bucket_list_prefix}} bucket_list_prefix: {{bucket_list_prefix}} {{/if}} + +{{else}} + +{{#if queue_url}} +queue_url: {{queue_url}} +{{/if}} +sqs.notification_parsing_script.source: {{event_parsing_script}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} +{{#if max_number_of_messages}} +max_number_of_messages: {{max_number_of_messages}} +{{/if}} {{#if file_selectors}} file_selectors: {{file_selectors}} {{/if}} + +{{/if}} + {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -56,6 +79,11 @@ proxy_url: {{proxy_url}} ssl: {{ssl}} {{/if}} tags: +{{#if collect_s3_logs}} + - collect_s3_logs +{{else}} + - collect_sqs_logs +{{/if}} {{#if preserve_original_event}} - preserve_original_event {{/if}} diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index 4c27180a984..9187b741615 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -7,6 +7,14 @@ streams: description: Collect Amazon Security Lake Events via AWS S3 input. template_path: aws-s3.yml.hbs vars: + - name: collect_s3_logs + required: true + show_user: true + title: Collect logs via S3 Bucket + description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue. + type: bool + multi: false + default: false - name: access_key_id type: password title: Access Key ID @@ -77,13 +85,56 @@ streams: show_user: true default: 5 description: Number of workers that will process the S3 objects listed. It is a required parameter for collecting logs via the AWS S3 Bucket. + - name: queue_url + type: text + title: "[SQS] Queue URL" + multi: false + required: false + show_user: true + description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. + - name: visibility_timeout + type: text + title: "[SQS] Visibility Timeout" + multi: false + required: false + show_user: true + default: 300s + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s. + - name: api_timeout + type: text + title: "[SQS] API Timeout" + multi: false + required: false + show_user: true + default: 120s + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s. + - name: max_number_of_messages + type: integer + title: "[SQS] Maximum Concurrent SQS Messages" + required: false + show_user: true + default: 5 + description: The maximum number of SQS messages that can be inflight at any time. - name: file_selectors type: yaml - title: "File Selectors" + title: "[SQS] File Selectors" multi: false required: false show_user: false - description: If the S3 bucket will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + description: If the SQS queue will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + default: | + # Example: if you want to consume events that contain 'CloudTrail' in the S3 object key and apply parquet decoding to the events. + # - regex: '/CloudTrail/' + # decoding.codec.parquet.enabled: true + # decoding.codec.parquet.batch_size: 100 + # decoding.codec.parquet.process_parallel: true + - name: region + type: text + title: "[SQS] Region" + multi: false + required: false + show_user: true + description: The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value. - name: fips_enabled type: bool title: Enable S3 FIPS @@ -128,6 +179,23 @@ streams: show_user: false default: "" description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. + - name: event_parsing_script + type: yaml + title: Event Notification Parsing Script + multi: false + required: true + show_user: false + description: The JS script used to parse the custom format of SQS Event notifications. + default: | + function parse(notification) { + var evts = []; + var m = JSON.parse(notification); + var evt = new S3EventV2(); + evt.SetS3BucketName(m.detail.bucket.name); + evt.SetS3ObjectKey(m.detail.object.key); + evts.push(evt); + return evts; + } - name: proxy_url type: text title: Proxy URL diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index e6cc03128b9..b956a9743b4 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -4,8 +4,9 @@ This [Amazon Security Lake](https://aws.amazon.com/security-lake/) integration h Security Lake automates the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources. -The Amazon Security Lake integration currently supports only one mode of log collection: +The Amazon Security Lake integration can be used in two different modes to collect data: - AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files. +- AWS S3 SQS mode: Amazon Security Lake writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode. ## Compatibility @@ -37,6 +38,7 @@ The Amazon Security Lake integration collects logs from both [Third-party servic - For **Log and event sources**, choose which sources the subscriber is authorized to consume. - For **Data access method**, choose **S3** to set up data access for the subscriber. - For **Subscriber credentials**, provide the subscriber's **AWS account ID** and **external ID**. + - For **Notification details**, select **SQS queue**. - Choose Create. 3. Above mentioned steps will create and provide the required details such as IAM roles/AWS role ID, external ID and queue URL to configure AWS Security Lake Integration. @@ -48,11 +50,18 @@ The Amazon Security Lake integration collects logs from both [Third-party servic 3. Click on the "Amazon Security Lake" integration from the search results. 4. Click on the Add Amazon Security Lake Integration button to add the integration. ![Home Page](../img/home_page.png) -5. The integration currently only supports collecting logs via AWS S3. -6. While adding the integration, you have to configure the following details: - - bucket arn +5. By default collect logs via S3 Bucket toggle will be off and collect logs for AWS SQS. + - queue url + ![Queue URL](../img/queue_url.png) + - collect logs via S3 Bucket toggled off - role ARN - external id + ![Role ARN and External ID](../img/role_arn_and_external_id.png) + +6. If you want to collect logs via AWS S3, then you have to put the following details: + - bucket arn + - role ARN + - external id **NOTE**: diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml index 8eef0cda615..5c3d3542857 100644 --- a/packages/amazon_security_lake/manifest.yml +++ b/packages/amazon_security_lake/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: amazon_security_lake title: Amazon Security Lake -version: "1.4.1" +version: "1.5.0" description: Collect logs from Amazon Security Lake with Elastic Agent. type: integration categories: ["aws", "security"] @@ -62,8 +62,8 @@ policy_templates: description: Collect logs from Amazon Security Lake instances. inputs: - type: aws-s3 - title: Collect Amazon Security Lake logs via AWS S3 - description: Collecting logs from Amazon Security Lake via AWS S3. + title: Collect Amazon Security Lake logs via AWS S3 or AWS SQS + description: Collecting logs from Amazon Security Lake via AWS S3 or AWS SQS. owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/auditd/changelog.yml b/packages/auditd/changelog.yml index b2e23bcb4b9..a9a94f5a7be 100644 --- a/packages/auditd/changelog.yml +++ b/packages/auditd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.20.1" + changes: + - description: "Preserve auditd.log.record_type and fallback to auditd.log.SYSCALL" + type: bugfix + link: https://github.com/elastic/integrations/pull/10829 - version: "3.20.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log index 760f90b3559..6e5fda9f3f3 100644 --- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log +++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log @@ -1,3 +1,4 @@ type=SOCKADDR msg=audit(1666825569.818:23260118): saddr=02000000000000000000000000000000SADDR={ saddr_fam=inet laddr=0.0.0.0 lport=0 } type=SOCKADDR msg=audit(1666825569.435:23260106): saddr=0A00DE9900000000000000000000000000002a02cf40000000000000SADDR={ saddr_fam=inet6 laddr=2a02:cf40:: lport=56985 } type=SOCKADDR msg=audit(1666825568.865:23260105): saddr=0100SADDR={ saddr_fam=local sockaddr len too short } +node=praorem001 type=SYSCALL msg=audit(1723109482.048:4981103): arch=c000003e syscall=87 success=yes exit=0 a0=7f1118081d10 a1=7f1118081d10 a2=242 a3=180 items=2 ppid=560201 pid=560348 auid=1561577791 uid=2012 gid=2007 euid=2012 suid=2012 fsuid=2012 egid=2007 sgid=2007 fsgid=2007 tty=(none) ses=126 comm="httpd" exe="/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd" key="delete"ARCH=x86_64 SYSCALL=unlink AUID="na-uoradbdba03" UID="dllogc" GID="oinstall" EUID="dllogc" SUID="dllogc" FSUID="dllogc" EGID="oinstall" SGID="oinstall" FSGID="oinstall" diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log-expected.json index b25cee511e8..93f050f1ddc 100644 --- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log-expected.json +++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log-expected.json @@ -7,6 +7,7 @@ "laddr": "0.0.0.0", "lport": 0, "original_field": "saddr", + "record_type": "SOCKADDR", "saddr": "02000000000000000000000000000000", "saddr_fam": "inet", "sequence": 23260118 @@ -31,6 +32,7 @@ "laddr": "2a02:cf40::", "lport": 56985, "original_field": "saddr", + "record_type": "SOCKADDR", "saddr": "0A00DE9900000000000000000000000000002a02cf40000000000000", "saddr_fam": "inet6", "sequence": 23260106 @@ -53,6 +55,7 @@ "auditd": { "log": { "original_field": "saddr", + "record_type": "SOCKADDR", "saddr": "0100", "saddr_fam": "local sockaddr len too short", "sequence": 23260105 @@ -69,6 +72,92 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-08-08T09:31:22.048Z", + "auditd": { + "log": { + "AUID": "na-uoradbdba03", + "EGID": "oinstall", + "EUID": "dllogc", + "FSGID": "oinstall", + "FSUID": "dllogc", + "GID": "oinstall", + "SGID": "oinstall", + "SUID": "dllogc", + "SYSCALL": "unlink", + "UID": "dllogc", + "a0": "7f1118081d10", + "a1": "7f1118081d10", + "a2": "242", + "a3": "180", + "items": "2", + "key": "delete\"\u001dARCH=x86_64", + "node": "praorem001", + "record_type": "SYSCALL", + "sequence": 4981103, + "ses": "126", + "success": true, + "syscall": "87", + "tty": "(none)" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "syscall", + "category": [ + "process" + ], + "kind": "event", + "original": "node=praorem001 type=SYSCALL msg=audit(1723109482.048:4981103): arch=c000003e syscall=87 success=yes exit=0 a0=7f1118081d10 a1=7f1118081d10 a2=242 a3=180 items=2 ppid=560201 pid=560348 auid=1561577791 uid=2012 gid=2007 euid=2012 suid=2012 fsuid=2012 egid=2007 sgid=2007 fsgid=2007 tty=(none) ses=126 comm=\"httpd\" exe=\"/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd\" key=\"delete\"\u001dARCH=x86_64 SYSCALL=unlink AUID=\"na-uoradbdba03\" UID=\"dllogc\" GID=\"oinstall\" EUID=\"dllogc\" SUID=\"dllogc\" FSUID=\"dllogc\" EGID=\"oinstall\" SGID=\"oinstall\" FSGID=\"oinstall\"", + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64" + }, + "process": { + "executable": "/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd", + "exit_code": 0, + "name": "httpd", + "parent": { + "pid": 560201 + }, + "pid": 560348 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "audit": { + "id": "1561577791" + }, + "effective": { + "group": { + "id": "2007" + }, + "id": "2012" + }, + "filesystem": { + "group": { + "id": "2007" + }, + "id": "2012" + }, + "group": { + "id": "2007" + }, + "id": "2012", + "saved": { + "group": { + "id": "2007" + }, + "id": "2012" + } + } } ] } \ No newline at end of file diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json index 701eea29e17..f95c8d78728 100644 --- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json +++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json @@ -6,6 +6,7 @@ "log": { "dst_prefixlen": 16, "op": "SPD-delete", + "record_type": "MAC_IPSEC_EVENT", "sequence": 18877201, "ses": "4294967295", "src_prefixlen": 24 @@ -42,6 +43,7 @@ "log": { "a0": "9", "items": "0", + "record_type": "SYSCALL", "sequence": 18877199, "ses": "4294967295", "success": true, @@ -271,6 +273,7 @@ "auditd": { "log": { "proctitle": "bash", + "record_type": "PROCTITLE", "sequence": 194438 } }, @@ -291,6 +294,7 @@ "auditd": { "log": { "proctitle": "sshd: burn [priv]", + "record_type": "PROCTITLE", "sequence": 194440 } }, @@ -433,6 +437,7 @@ "@timestamp": "2020-02-10T21:59:44.206Z", "auditd": { "log": { + "record_type": "EXECVE", "sequence": 579393 } }, @@ -1782,6 +1787,7 @@ "@timestamp": "2016-12-07T02:20:31.371Z", "auditd": { "log": { + "record_type": "CWD", "sequence": 479 } }, @@ -1812,6 +1818,7 @@ "obj": "system_u:object_r:auditctl_exec_t:s0", "objtype": "NORMAL", "rdev": "00:00", + "record_type": "PATH", "sequence": 479 } }, @@ -1837,7 +1844,9 @@ }, { "auditd": { - "log": {} + "log": { + "record_type": "UNKNOWN[1329]" + } }, "ecs": { "version": "8.11.0" @@ -1866,6 +1875,7 @@ "old_pe": "0000000000000000", "old_pi": "0000000000000000", "old_pp": "0000000000000000", + "record_type": "BPRM_FCAPS", "sequence": 529 } }, @@ -1885,6 +1895,7 @@ "@timestamp": "2016-12-07T02:40:24.953Z", "auditd": { "log": { + "record_type": "SOCKADDR", "saddr": "02000050A9FEA9FE0000000000000000", "sequence": 688 } @@ -1905,6 +1916,7 @@ "@timestamp": "2016-12-07T02:42:33.346Z", "auditd": { "log": { + "record_type": "CKADDR", "saddr": "02000050A9FEA9FE0000000000000000", "sequence": 737 } @@ -2054,6 +2066,7 @@ }, "capability": "3", "permissive": "1", + "record_type": "AVC", "scontext": "system_u:system_r:syslogd_t:s0", "sequence": 105992, "tclass": "capability", @@ -2088,6 +2101,7 @@ "dev": "dm-0", "ino": "188999", "name": "c73a516004b572d8c845c74c49b2511d:runtime.tmp", + "record_type": "AVC", "scontext": "test_u:staff_r:oddjob_mkhomedir_t:s0", "sequence": 101, "tclass": "lnk_file", @@ -2168,6 +2182,7 @@ "dev": "dm-0", "ino": "402139", "path": "/usr/move_file/move_file_c", + "record_type": "AVC", "scontext": "unconfined_u:unconfined_r:unconfined_t", "sequence": 311, "tclass": "process", diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json index f02900a2788..11aa5708aa0 100644 --- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json +++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json @@ -4,6 +4,7 @@ "@timestamp": "2022-01-24T12:01:08.518Z", "auditd": { "log": { + "record_type": "EXECVE", "sequence": 5009988 } }, @@ -32,6 +33,7 @@ "@timestamp": "2022-01-24T12:01:08.518Z", "auditd": { "log": { + "record_type": "EXECVE", "sequence": 5009988 } }, @@ -127,6 +129,7 @@ "@timestamp": "2022-01-24T12:01:08.518Z", "auditd": { "log": { + "record_type": "EXECVE", "sequence": 5009988 } }, @@ -222,6 +225,7 @@ "@timestamp": "2022-02-08T12:31:02.830Z", "auditd": { "log": { + "record_type": "EXECVE", "sequence": 9381969 } }, diff --git a/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 852ee14cd8f..69415aaa353 100644 --- a/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -2265,10 +2265,10 @@ processors: - append: field: error.message value: "failed extracting process arguments: {{{ _ingest.on_failure_message }}}" - - rename: - ignore_failure: true - field: auditd.log.record_type - target_field: event.action + - set: + field: event.action + copy_from: auditd.log.record_type + override: false - lowercase: ignore_failure: true field: event.action diff --git a/packages/auditd/data_stream/log/fields/fields.yml b/packages/auditd/data_stream/log/fields/fields.yml index 66a8c3b478f..2745bf7ee44 100644 --- a/packages/auditd/data_stream/log/fields/fields.yml +++ b/packages/auditd/data_stream/log/fields/fields.yml @@ -36,6 +36,18 @@ type: keyword description: | The first argument to the system call. + - name: a1 + type: keyword + description: | + The second argument to the system call. + - name: a2 + type: keyword + description: | + The third argument to the system call. + - name: a3 + type: keyword + description: | + The fourth argument to the system call. - name: addr type: ip - name: avc.action @@ -90,6 +102,9 @@ type: keyword - name: kernel type: keyword + - name: key + type: keyword + description: Records the user defined string associated with a rule that generated a particular event in the Audit log. - name: key_enforce type: boolean - name: img-ctx @@ -213,3 +228,28 @@ type: keyword - name: xdevice type: keyword + +# log_format = ENRICHED fields + - name: ARCH + type: keyword + - name: AUID + type: keyword + - name: EGID + type: keyword + - name: EUID + type: keyword + - name: FSGID + type: keyword + - name: FSUID + type: keyword + - name: GID + type: keyword + - name: SGID + type: keyword + - name: SUID + type: keyword + - name: SYSCALL + type: keyword + - name: UID + type: keyword + diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md index 9a508d60a4c..e1fa3d900a0 100644 --- a/packages/auditd/docs/README.md +++ b/packages/auditd/docs/README.md @@ -91,7 +91,21 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| auditd.log.ARCH | | keyword | +| auditd.log.AUID | | keyword | +| auditd.log.EGID | | keyword | +| auditd.log.EUID | | keyword | +| auditd.log.FSGID | | keyword | +| auditd.log.FSUID | | keyword | +| auditd.log.GID | | keyword | +| auditd.log.SGID | | keyword | +| auditd.log.SUID | | keyword | +| auditd.log.SYSCALL | | keyword | +| auditd.log.UID | | keyword | | auditd.log.a0 | The first argument to the system call. | keyword | +| auditd.log.a1 | The second argument to the system call. | keyword | +| auditd.log.a2 | The third argument to the system call. | keyword | +| auditd.log.a3 | The fourth argument to the system call. | keyword | | auditd.log.addr | | ip | | auditd.log.audit_failure | | keyword | | auditd.log.avc.action | | keyword | @@ -120,6 +134,7 @@ An example event for `log` looks as following: | auditd.log.item | The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. | keyword | | auditd.log.items | The number of items in an event. | keyword | | auditd.log.kernel | | keyword | +| auditd.log.key | Records the user defined string associated with a rule that generated a particular event in the Audit log. | keyword | | auditd.log.key_enforce | | boolean | | auditd.log.kind | | keyword | | auditd.log.ksize | | long | diff --git a/packages/auditd/manifest.yml b/packages/auditd/manifest.yml index 5673be5d1c2..815a35a5ca4 100644 --- a/packages/auditd/manifest.yml +++ b/packages/auditd/manifest.yml @@ -1,6 +1,6 @@ name: auditd title: Auditd Logs -version: "3.20.0" +version: "3.20.1" description: Collect logs from Linux audit daemon with Elastic Agent. type: integration icons: diff --git a/packages/aws_logs/changelog.yml b/packages/aws_logs/changelog.yml index 88c182368de..562e3f41583 100644 --- a/packages/aws_logs/changelog.yml +++ b/packages/aws_logs/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.4.0" + changes: + - description: Update file_selectors field to be able to receive multiline configuration + type: enhancement + link: https://github.com/elastic/integrations/pull/10789 - version: "1.3.1" changes: - description: Update max_number_of_messages parameter description diff --git a/packages/aws_logs/data_stream/generic/manifest.yml b/packages/aws_logs/data_stream/generic/manifest.yml index 8072fedc906..f78f0845f2e 100644 --- a/packages/aws_logs/data_stream/generic/manifest.yml +++ b/packages/aws_logs/data_stream/generic/manifest.yml @@ -221,11 +221,24 @@ streams: - name: file_selectors type: yaml title: File Selectors - multi: true + multi: false required: false show_user: false description: > If the SQS queue will have events that correspond to files that this integration shouldn’t process file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regex syntax is the same as the Go language. Files that don’t match one of the regexes won’t be processed. content_type, parsers, include_s3_metadata,max_bytes, buffer_size, and encoding may also be set for each file selector. + default: | + #- regex: /CloudTrail/ + # parsers: + # - multiline: + # pattern: ^ User IP <17 Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 10.0.0.0, IP = 10.0.0.0, Security negotiation complete for peer (10.0.0.0) Initiator, Inbound SPI = 0x6fdb0644, Outbound SPI = 0x14dde27d <166>Jul 12 2024 08:11:50 myAsaHostname : %ASA-6-605004: Login denied from 81.2.69.144/51215 to dmz-1000:81.2.69.145/https for user "" <166>Jul 12 2024 08:11:50 myAsaHostname : %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.0.0.70 : user = : user IP = 81.2.69.144 +<190>Aug 08 2024 06:28:26 ciscoasa : %ASA-6-113005: AAA user authentication Rejected : reason = Account has been locked out : server = 192.168.1.1 : user = ***** : user IP = 81.2.69.144 \ No newline at end of file diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index d6d9e1798ec..7eb42767e19 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -11453,6 +11453,90 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-08-08T06:28:26.000Z", + "cisco": { + "asa": { + "rejection_reason": "Account has been locked out" + } + }, + "destination": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "authentication", + "network" + ], + "code": "113005", + "kind": "event", + "original": "<190>Aug 08 2024 06:28:26 ciscoasa : %ASA-6-113005: AAA user authentication Rejected : reason = Account has been locked out : server = 192.168.1.1 : user = ***** : user IP = 81.2.69.144", + "outcome": "failure", + "severity": 6, + "timezone": "UTC", + "type": [ + "denied", + "info" + ] + }, + "host": { + "hostname": "ciscoasa" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 190, + "severity": { + "code": 6 + } + } + }, + "observer": { + "hostname": "ciscoasa", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "ciscoasa" + ], + "ip": [ + "81.2.69.144", + "192.168.1.1" + ] + }, + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "user": { + "name": "*****" + } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index c290a3feee9..4a2c647222c 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -392,7 +392,7 @@ processors: - "AAA user %{AUTH} Rejected(%{SPACE})?: reason = %{REASON:_temp_.cisco.rejection_reason}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?(%{CISCO_USER:source.user.name}|)(%{SPACE})?: user IP = %{IPORNONE}" pattern_definitions: AUTH: (authentication|authorization) - REASON: (AAA failure|Account has been disabled|Invalid password|Password is expiring|Password has expired|Password malformed|Unspecified) + REASON: (AAA failure|Account has been disabled|Invalid password|Password is expiring|Password has expired|Password malformed|Unspecified|Account has been locked out) USERNAME: "[a-zA-Z0-9._'-]+" CISCO_USER: (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(?:%{HOSTNAME}\\)?%{USERNAME}\$?(?:@%{HOSTNAME})?(?:, *%{NUMBER})?)) IPORNONE: (%{IP:source.address}|None) diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 44cc7b056c7..3adf8306481 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_asa title: Cisco ASA -version: "2.36.3" +version: "2.36.4" description: Collect logs from Cisco ASA with Elastic Agent. type: integration categories: diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 7fab604b068..5ecc4efcfaf 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.39.3" + changes: + - description: Fix handling of event.created and timestamp fields for FDR events. + type: bugfix + link: https://github.com/elastic/integrations/pull/10862 +- version: "1.39.2" + changes: + - description: Fix cursor timestamp handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/10694 - version: "1.39.1" changes: - description: Return empty `events` array when no resources in alert, host. diff --git a/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs index 00a66cb7bb2..fe2d51ce008 100644 --- a/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs +++ b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs @@ -26,38 +26,33 @@ state: redact: fields: ~ program: | - state.with( - ( - !state.want_more ? - request( - "GET", - state.url.trim_right("/") + "/alerts/queries/alerts/v2?" + { - "sort": ["timestamp|asc"], - "offset": ["0"], - "limit": [string(state.batch_size)], - "filter": ['timestamp:>"'+state.?cursor.last_timestamp.orValue(string(now - duration(state.initial_interval)))+'"'], - }.format_query() - ) - : - request( - "GET", - state.url.trim_right("/") + "/alerts/queries/alerts/v2?" + { - "sort": ["timestamp|asc"], - "offset": [string(state.offset)], - "limit": [string(state.batch_size)], - ?"filter": has(state.?cursor.first_timestamp) ? optional.of(['timestamp:>"'+state.cursor.first_timestamp+'"']) : optional.none(), - }.format_query() - ) - ).do_request().as(get_resp, get_resp.StatusCode == 200 ? - bytes(get_resp.Body).decode_json().as(body, { - ?"resources": has(body.resources) && body.resources.size() > 0 ? optional.of(body.resources) : optional.none(), - "events": [], - "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), - "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? - int(state.offset) + body.resources.size() + ( + state.want_more ? + state.?page.start + : + optional.of(state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339))) + ).as(filter, state.with( + get_request( + state.url.trim_right("/") + "/alerts/queries/alerts/v2?" + { + "sort": ["timestamp|asc"], + "offset": [string(state.offset)], + "limit": [string(state.batch_size)], + ?"filter": filter.hasValue() ? + optional.of(['timestamp:>"'+filter.value()+'"']) : - 0, - }) + optional.none(), + }.format_query() + ).do_request().as(get_resp, get_resp.StatusCode == 200 ? + bytes(get_resp.Body).decode_json().as(body, + ( + int(state.offset) + body.resources.size() < body.meta.pagination.total + ).as(want_more, { + ?"resources": body.resources.size() > 0 ? optional.of(body.resources) : optional.none(), + "events": [], + "offset": want_more ? int(state.offset) + body.resources.size() : 0, + "want_more": want_more, + }) + ) : { "events": { @@ -87,18 +82,16 @@ program: | "message": e.encode_json(), }), "cursor": { - ?"last_timestamp": ( - has(inner_body.resources) && inner_body.resources.size() > 0 ? - optional.of(inner_body.resources.map(e, e.timestamp).max()) - : - state.?cursor.last_timestamp - ), - "first_timestamp": ( - state.?cursor.first_timestamp.orValue(null) != null ? - (state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp) - : - string(now - duration(state.initial_interval)) - ), + ?"last_timestamp": has(inner_body.resources) && inner_body.resources.size() > 0 ? + optional.of(inner_body.resources.map(e, timestamp(e.timestamp)).max().format(time_layout.RFC3339)) + : + state.?cursor.last_timestamp + }, + "page": { + "start": has(state.?cursor.start) ? + (state.want_more ? state.cursor.start : state.cursor.last_timestamp) + : + now.format(time_layout.RFC3339) }, }) : @@ -119,7 +112,7 @@ program: | } ) ) - ) + )) tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/crowdstrike/data_stream/alert/sample_event.json b/packages/crowdstrike/data_stream/alert/sample_event.json index cb482cacc6a..52e90de4ea6 100644 --- a/packages/crowdstrike/data_stream/alert/sample_event.json +++ b/packages/crowdstrike/data_stream/alert/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-11-03T18:00:22.328Z", "agent": { - "ephemeral_id": "532c45c9-f01e-40e0-9406-8997b9a2b29c", - "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "ephemeral_id": "704de05c-668d-431b-8483-ed43ec6a5942", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "crowdstrike": { "alert": { @@ -220,7 +220,7 @@ }, "data_stream": { "dataset": "crowdstrike.alert", - "namespace": "ep", + "namespace": "15119", "type": "logs" }, "device": { @@ -230,15 +230,15 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "crowdstrike.alert", "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", - "ingested": "2024-02-21T09:17:46Z", + "ingested": "2024-08-08T07:13:48Z", "kind": "alert", "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cW`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbC`uNjL#gW\\u0026=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06`/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}", "severity": 30 @@ -312,9 +312,10 @@ "crowdstrike-alert" ], "threat": { + "framework": "CrowdStrike Falcon Detections Framework", "tactic": { "id": [ - "TA0004" + "CSTA0004" ], "name": [ "MachineLearning" @@ -322,7 +323,7 @@ }, "technique": { "id": [ - "T0000" + "CST0000" ], "name": [ "Adware/PUP" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index 79253fb8dbc..876f7d1271b 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -1,9 +1,10 @@ { "expected": [ { - "@timestamp": "2021-07-07T17:05:21.137Z", + "@timestamp": "2021-07-07T17:05:21.162Z", "crowdstrike": { "ConfigStateHash": "1620585913", + "ContextTimeStamp": "2021-07-07T17:05:21.137Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "RGID": "501", @@ -99,11 +100,12 @@ } }, { - "@timestamp": "2021-07-07T17:05:23.068Z", + "@timestamp": "2021-07-07T17:05:24.102Z", "crowdstrike": { "AsepWrittenCount": 0, "ConfigStateHash": "3090255842", "ContextProcessId": "365053603452626914", + "ContextTimeStamp": "2021-07-07T17:05:23.068Z", "DirectoryCreatedCount": 0, "DnsRequestCount": 0, "EffectiveTransmissionClass": "3", @@ -188,10 +190,11 @@ } }, { - "@timestamp": "2021-07-07T17:04:48.594Z", + "@timestamp": "2021-07-07T17:04:48.615Z", "crowdstrike": { "ConfigStateHash": "1620585913", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:04:48.594Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -575,10 +578,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:04.982Z", + "@timestamp": "2021-07-07T17:05:05.511Z", "crowdstrike": { "ConfigStateHash": "1701000200", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:04.982Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -681,10 +685,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:21.866Z", + "@timestamp": "2021-07-07T17:05:22.009Z", "crowdstrike": { "ConfigStateHash": "3090255842", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:21.866Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -785,10 +790,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:23.901Z", + "@timestamp": "2021-07-07T17:05:24.048Z", "crowdstrike": { "ConfigStateHash": "3090255842", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:23.901Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -987,10 +993,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:03.713Z", + "@timestamp": "2021-07-07T17:05:03.947Z", "crowdstrike": { "ConfigStateHash": "1701000200", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:03.713Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -1079,9 +1086,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:20.973Z", + "@timestamp": "2021-07-07T17:05:21.081Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:05:20.973Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -1159,10 +1167,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:30.308Z", + "@timestamp": "2021-07-07T17:05:30.841Z", "crowdstrike": { "ConfigStateHash": "3469235958", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:30.308Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -1561,9 +1570,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:28.570Z", + "@timestamp": "2021-07-07T17:05:28.717Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:05:28.570Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -1642,10 +1652,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:12.700Z", + "@timestamp": "2021-07-07T17:05:12.892Z", "crowdstrike": { "ConfigStateHash": "1620585913", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:12.700Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -1746,9 +1757,10 @@ } }, { - "@timestamp": "2021-07-07T17:04:35.806Z", + "@timestamp": "2021-07-07T17:04:36.111Z", "crowdstrike": { "ConfigStateHash": "1620585913", + "ContextTimeStamp": "2021-07-07T17:04:35.806Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -1829,9 +1841,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:04.770Z", + "@timestamp": "2021-07-07T17:05:40.055Z", "crowdstrike": { "ConfigStateHash": "1620585913", + "ContextTimeStamp": "2021-07-07T17:05:04.770Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -1996,9 +2009,10 @@ } }, { - "@timestamp": "2021-07-07T17:04:59.994Z", + "@timestamp": "2021-07-07T17:05:00.089Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:04:59.994Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "Flags": "0", @@ -2084,10 +2098,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:17.658Z", + "@timestamp": "2021-07-07T17:05:17.986Z", "crowdstrike": { "ConfigStateHash": "1479784503", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:17.658Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -2201,9 +2216,10 @@ } }, { - "@timestamp": "2021-07-07T17:04:56.750Z", + "@timestamp": "2021-07-07T17:04:56.804Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:04:56.750Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "VolumeAppearanceTime": "1625677422.647", @@ -2580,10 +2596,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:07.037Z", + "@timestamp": "2021-07-07T17:05:07.086Z", "crowdstrike": { "ConfigStateHash": "3090255842", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:05:07.037Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -2671,9 +2688,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:36.729Z", + "@timestamp": "2021-07-07T17:05:36.784Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:05:36.729Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -2750,9 +2768,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:04.542Z", + "@timestamp": "2021-07-07T17:05:04.614Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:05:04.542Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -2823,9 +2842,10 @@ } }, { - "@timestamp": "2021-07-07T01:52:50.595Z", + "@timestamp": "2021-07-07T17:04:40.056Z", "crowdstrike": { "ConfigStateHash": "3967242894", + "ContextTimeStamp": "2021-07-07T01:52:50.595Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "IOServiceClass": "IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject", @@ -2893,9 +2913,10 @@ } }, { - "@timestamp": "2021-07-07T01:50:02.031Z", + "@timestamp": "2021-07-07T17:04:38.739Z", "crowdstrike": { "ConfigStateHash": "3967242894", + "ContextTimeStamp": "2021-07-07T01:50:02.031Z", "DeviceId": "251658248", "EffectiveTransmissionClass": "2", "Entitlements": "15", @@ -3059,10 +3080,11 @@ } }, { - "@timestamp": "2021-07-07T17:04:34.875Z", + "@timestamp": "2021-07-07T17:04:35.413Z", "crowdstrike": { "ConfigStateHash": "1701000200", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:04:34.875Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -3224,9 +3246,10 @@ } }, { - "@timestamp": "2021-07-07T17:04:53.531Z", + "@timestamp": "2021-07-07T17:04:53.756Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:04:53.531Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "RequestType": "1", @@ -3467,10 +3490,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:09.064Z", + "@timestamp": "2021-07-07T17:05:09.069Z", "crowdstrike": { "BundleID": "com.apple.driver.AudioAUUC", "ConfigStateHash": "1620585913", + "ContextTimeStamp": "2021-07-07T17:05:09.064Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -3844,9 +3868,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:24.929Z", + "@timestamp": "2021-07-07T17:05:25.128Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:05:24.929Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -3945,9 +3970,10 @@ } }, { - "@timestamp": "2021-07-07T17:04:48.523Z", + "@timestamp": "2021-07-07T17:04:48.576Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:04:48.523Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -4099,9 +4125,10 @@ } }, { - "@timestamp": "2021-07-07T01:50:11.845Z", + "@timestamp": "2021-07-07T17:04:39.336Z", "crowdstrike": { "ConfigStateHash": "3967242894", + "ContextTimeStamp": "2021-07-07T01:50:11.845Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "MachOSubType": "3", @@ -4186,10 +4213,11 @@ } }, { - "@timestamp": "2021-07-07T01:50:08.014Z", + "@timestamp": "2021-07-07T17:04:38.929Z", "crowdstrike": { "ConfigStateHash": "3967242894", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T01:50:08.014Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -4466,9 +4494,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:33.027Z", + "@timestamp": "2021-07-07T17:05:33.060Z", "crowdstrike": { "ConfigStateHash": "1620585913", + "ContextTimeStamp": "2021-07-07T17:05:33.027Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "VnodeModificationType": "0", @@ -4914,9 +4943,10 @@ } }, { - "@timestamp": "2021-07-07T17:04:14.557Z", + "@timestamp": "2021-07-07T17:04:14.723Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:04:14.557Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -4995,7 +5025,7 @@ } }, { - "@timestamp": "2021-07-07T17:04:05.731Z", + "@timestamp": "2021-07-07T17:04:20.451Z", "crowdstrike": { "AgentLoadFlags": "0", "AgentLocalTime": "2021-07-07T17:04:05.731Z", @@ -5010,6 +5040,7 @@ "ConfigIDPlatform": "4", "ConfigStateHash": "3967242894", "ConfigurationVersion": "10", + "ContextTimeStamp": "2021-07-07T17:04:05.731Z", "CpuFeaturesMask": "7494065083858915", "CpuSignature": "591594", "CpuVendor": "0", @@ -5098,9 +5129,10 @@ } }, { - "@timestamp": "2021-07-07T17:03:58.515Z", + "@timestamp": "2021-07-07T17:03:58.553Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:03:58.515Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "UnixMode": "384", @@ -5427,9 +5459,10 @@ } }, { - "@timestamp": "2021-07-07T17:02:33.633Z", + "@timestamp": "2021-07-07T17:02:33.895Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:02:33.633Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -5675,9 +5708,10 @@ } }, { - "@timestamp": "2021-07-07T17:04:42.148Z", + "@timestamp": "2021-07-07T17:04:42.403Z", "crowdstrike": { "ConfigStateHash": "1620585913", + "ContextTimeStamp": "2021-07-07T17:04:42.148Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "VnodeModificationType": "6", @@ -5756,10 +5790,11 @@ } }, { - "@timestamp": "2021-07-07T17:05:10.959Z", + "@timestamp": "2021-07-07T17:05:11.067Z", "crowdstrike": { "ConfigStateHash": "1284133626", "ContextProcessId": "130732827553316", + "ContextTimeStamp": "2021-07-07T17:05:10.959Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", @@ -5899,9 +5934,10 @@ } }, { - "@timestamp": "2021-07-07T17:02:12.283Z", + "@timestamp": "2021-07-07T17:02:14.451Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:02:12.283Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "VolumeIsNetwork": "0", @@ -5970,10 +6006,11 @@ } }, { - "@timestamp": "2021-07-07T17:04:34.525Z", + "@timestamp": "2021-07-07T17:04:34.879Z", "crowdstrike": { "ConfigStateHash": "2300098580", "ConnectionFlags": "0", + "ContextTimeStamp": "2021-07-07T17:04:34.525Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -6061,9 +6098,10 @@ } }, { - "@timestamp": "2021-07-07T17:05:26.828Z", + "@timestamp": "2021-07-07T17:05:27.114Z", "crowdstrike": { "ConfigStateHash": "1620585913", + "ContextTimeStamp": "2021-07-07T17:05:26.828Z", "ELFSubType": "4", "EffectiveTransmissionClass": "2", "Entitlements": "15", @@ -6224,9 +6262,10 @@ } }, { - "@timestamp": "2021-07-07T17:03:59.099Z", + "@timestamp": "2021-07-07T17:03:59.398Z", "crowdstrike": { "ConfigStateHash": "3090255842", + "ContextTimeStamp": "2021-07-07T17:03:59.099Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "USN": "89566685", @@ -6386,9 +6425,10 @@ } }, { - "@timestamp": "2021-07-07T17:03:02.785Z", + "@timestamp": "2021-07-07T17:03:03.057Z", "crowdstrike": { "ConfigStateHash": "1325353086", + "ContextTimeStamp": "2021-07-07T17:03:02.785Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "IsOnRemovableDisk": "0", @@ -6833,11 +6873,12 @@ } }, { - "@timestamp": "2020-11-08T17:04:56.730Z", + "@timestamp": "2020-11-08T17:04:59.646Z", "crowdstrike": { "AsepWrittenCount": 0, "ConfigStateHash": "1789338890", "ContextProcessId": "317713210176499254", + "ContextTimeStamp": "2020-11-08T17:04:56.730Z", "DirectoryCreatedCount": 0, "DnsRequestCount": 0, "Entitlements": "15", @@ -6925,7 +6966,7 @@ } }, { - "@timestamp": "2020-11-08T17:04:57.926Z", + "@timestamp": "2020-11-08T17:04:59.935Z", "crowdstrike": { "AllocateVirtualMemoryCount": 0, "ArchiveFileWrittenCount": 0, @@ -6936,6 +6977,7 @@ "ConHostProcessId": "3099352216141", "ConfigStateHash": "3343111420", "ContextProcessId": "3100508103359", + "ContextTimeStamp": "2020-11-08T17:04:57.926Z", "CreateProcessCount": 0, "CycleTime": 2937514388, "DirectoryCreatedCount": 0, @@ -7066,11 +7108,12 @@ } }, { - "@timestamp": "2020-11-08T17:05:01.341Z", + "@timestamp": "2020-11-08T17:05:00.139Z", "crowdstrike": { "AsepWrittenCount": 0, "ConfigStateHash": "3344040805", "ContextProcessId": "311775981885093125", + "ContextTimeStamp": "2020-11-08T17:05:01.341Z", "DirectoryCreatedCount": 0, "DnsRequestCount": 0, "Entitlements": "15", @@ -7269,9 +7312,10 @@ } }, { - "@timestamp": "2020-11-08T17:04:55.961Z", + "@timestamp": "2020-11-08T17:04:59.913Z", "crowdstrike": { "ConfigStateHash": "2784638081", + "ContextTimeStamp": "2020-11-08T17:04:55.961Z", "DnsRequestCount": 1, "DualRequest": "0", "EffectiveTransmissionClass": "3", @@ -7351,9 +7395,10 @@ } }, { - "@timestamp": "2020-11-08T17:05:01.645Z", + "@timestamp": "2020-11-08T17:05:02.247Z", "crowdstrike": { "ConfigStateHash": "4288861242", + "ContextTimeStamp": "2020-11-08T17:05:01.645Z", "Entitlements": "15", "UnixMode": "32768", "cid": "ffffffff30a3407dae27d0503611022d", @@ -7546,9 +7591,10 @@ } }, { - "@timestamp": "2020-11-08T17:05:14.133Z", + "@timestamp": "2020-11-08T17:05:14.427Z", "crowdstrike": { "ConfigStateHash": "3899738370", + "ContextTimeStamp": "2020-11-08T17:05:14.133Z", "DesiredAccess": "1180054", "EffectiveTransmissionClass": "3", "Entitlements": "15", @@ -7638,10 +7684,11 @@ } }, { - "@timestamp": "2020-11-08T17:05:16.421Z", + "@timestamp": "2020-11-08T17:05:16.502Z", "crowdstrike": { "ConfigStateHash": "1306766522", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:05:16.421Z", "Entitlements": "15", "InContext": "0", "LocalAddressIP4": [ @@ -7742,10 +7789,11 @@ } }, { - "@timestamp": "2020-11-08T17:05:16.849Z", + "@timestamp": "2020-11-08T17:05:16.942Z", "crowdstrike": { "ConfigStateHash": "2602391615", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:05:16.849Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -7859,11 +7907,12 @@ } }, { - "@timestamp": "2020-11-08T17:04:51.781Z", + "@timestamp": "2020-11-08T17:05:21.077Z", "crowdstrike": { "AuthenticationId": "6580764513", "AuthenticationPackage": "Negotiate", "ConfigStateHash": "3011122681", + "ContextTimeStamp": "2020-11-08T17:04:51.781Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "LogonDomain": "NT AUTHORITY", @@ -7951,10 +8000,11 @@ } }, { - "@timestamp": "2020-11-08T17:05:20.785Z", + "@timestamp": "2020-11-08T17:05:21.109Z", "crowdstrike": { "AuthenticationId": "2007206396", "ConfigStateHash": "3011122681", + "ContextTimeStamp": "2020-11-08T17:05:20.785Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "FileEcpBitmask": "0", @@ -8142,9 +8192,10 @@ } }, { - "@timestamp": "2020-11-08T17:03:45.966Z", + "@timestamp": "2020-11-08T17:05:49.643Z", "crowdstrike": { "ConfigStateHash": "537307300", + "ContextTimeStamp": "2020-11-08T17:03:45.966Z", "DesiredAccess": "1180054", "EffectiveTransmissionClass": "3", "Entitlements": "15", @@ -8234,10 +8285,11 @@ } }, { - "@timestamp": "2020-11-08T17:05:50.066Z", + "@timestamp": "2020-11-08T17:05:50.545Z", "crowdstrike": { "ConfigStateHash": "3765958535", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:05:50.066Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -8329,10 +8381,11 @@ } }, { - "@timestamp": "2020-11-08T17:05:52.993Z", + "@timestamp": "2020-11-08T17:05:54.274Z", "crowdstrike": { "ClientComputerName": "com1", "ConfigStateHash": "3011122681", + "ContextTimeStamp": "2020-11-08T17:05:52.993Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "EtwRawThreadId": 5304, @@ -8435,9 +8488,10 @@ } }, { - "@timestamp": "2020-11-08T17:05:51.534Z", + "@timestamp": "2020-11-08T17:05:54.670Z", "crowdstrike": { "ConfigStateHash": "3343111420", + "ContextTimeStamp": "2020-11-08T17:05:51.534Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "FileObject": "18446636884348143072", @@ -8521,11 +8575,12 @@ } }, { - "@timestamp": "2020-11-08T17:05:35.209Z", + "@timestamp": "2020-11-08T17:06:00.047Z", "crowdstrike": { "AsepWrittenCount": 0, "ConfigStateHash": "230795414", "ContextProcessId": "318137549555284836", + "ContextTimeStamp": "2020-11-08T17:05:35.209Z", "DirectoryCreatedCount": 0, "DnsRequestCount": 0, "Entitlements": "15", @@ -8613,10 +8668,11 @@ } }, { - "@timestamp": "2020-11-08T17:06:11.731Z", + "@timestamp": "2020-11-08T17:06:13.077Z", "crowdstrike": { "ApiReturnValue": "1", "ConfigStateHash": "3338885535", + "ContextTimeStamp": "2020-11-08T17:06:11.731Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d", @@ -8776,9 +8832,10 @@ } }, { - "@timestamp": "2020-11-08T17:05:46.590Z", + "@timestamp": "2020-11-08T17:06:17.513Z", "crowdstrike": { "ConfigStateHash": "1763245019", + "ContextTimeStamp": "2020-11-08T17:05:46.590Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "FileObject": "18446622606546437424", @@ -8864,9 +8921,10 @@ } }, { - "@timestamp": "2020-11-08T17:06:05.213Z", + "@timestamp": "2020-11-08T17:06:20.332Z", "crowdstrike": { "ConfigStateHash": "402097454", + "ContextTimeStamp": "2020-11-08T17:06:05.213Z", "DesiredAccess": "1048577", "EffectiveTransmissionClass": "3", "Entitlements": "15", @@ -8955,10 +9013,11 @@ } }, { - "@timestamp": "2020-11-08T17:06:36.468Z", + "@timestamp": "2020-11-08T17:06:36.635Z", "crowdstrike": { "AuthenticationId": "999", "ConfigStateHash": "3343111420", + "ContextTimeStamp": "2020-11-08T17:06:36.468Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InterfaceGuid": "367ABB81-9844-35F1-AD32-98F038001003", @@ -9052,10 +9111,11 @@ } }, { - "@timestamp": "2020-11-08T17:06:40.751Z", + "@timestamp": "2020-11-08T17:06:40.836Z", "crowdstrike": { "ConfigStateHash": "203564169", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:06:40.751Z", "Entitlements": "15", "InContext": "0", "LocalAddressIP6": [ @@ -9369,9 +9429,10 @@ } }, { - "@timestamp": "2020-11-08T09:58:32.519Z", + "@timestamp": "2020-11-08T17:07:22.091Z", "crowdstrike": { "ConfigStateHash": "1763245019", + "ContextTimeStamp": "2020-11-08T09:58:32.519Z", "DesiredAccess": "1179785", "EffectiveTransmissionClass": "3", "Entitlements": "15", @@ -9461,7 +9522,7 @@ } }, { - "@timestamp": "2020-11-08T17:07:54.377Z", + "@timestamp": "2020-11-08T17:07:56.657Z", "crowdstrike": { "AllocateVirtualMemoryCount": 0, "ArchiveFileWrittenCount": 0, @@ -9472,6 +9533,7 @@ "ConHostProcessId": "1731198143955", "ConfigStateHash": "2030177841", "ContextProcessId": "1741732942772", + "ContextTimeStamp": "2020-11-08T17:07:54.377Z", "CycleTime": 473618996, "DirectoryCreatedCount": 0, "DirectoryEnumeratedCount": 0, @@ -9601,10 +9663,11 @@ } }, { - "@timestamp": "2020-11-08T17:08:37.892Z", + "@timestamp": "2020-11-08T17:08:49.571Z", "crowdstrike": { "AuthenticationId": "895027", "ConfigStateHash": "3338885535", + "ContextTimeStamp": "2020-11-08T17:08:37.892Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "FileEcpBitmask": "0", @@ -9693,10 +9756,11 @@ } }, { - "@timestamp": "2020-11-08T17:09:11.158Z", + "@timestamp": "2020-11-08T17:09:11.798Z", "crowdstrike": { "ConfigStateHash": "3765958535", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:09:11.158Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -9797,9 +9861,10 @@ } }, { - "@timestamp": "2020-11-08T14:34:30.744Z", + "@timestamp": "2020-11-08T17:09:15.495Z", "crowdstrike": { "ConfigStateHash": "1457965279", + "ContextTimeStamp": "2020-11-08T14:34:30.744Z", "Entitlements": "15", "VnodeModificationType": "10", "cid": "ffffffff30a3407dae27d0503611022d", @@ -9882,9 +9947,10 @@ } }, { - "@timestamp": "2020-11-08T17:06:31.803Z", + "@timestamp": "2020-11-08T17:06:33.422Z", "crowdstrike": { "ConfigStateHash": "3011122681", + "ContextTimeStamp": "2020-11-08T17:06:31.803Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "UserLogonFlags": "1", @@ -9963,10 +10029,11 @@ } }, { - "@timestamp": "2020-11-08T17:05:36.669Z", + "@timestamp": "2020-11-08T17:06:39.798Z", "crowdstrike": { "ConfigStateHash": "1858880895", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:05:36.669Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InContext": "0", @@ -10074,9 +10141,10 @@ } }, { - "@timestamp": "2020-11-08T16:42:35.987Z", + "@timestamp": "2020-11-08T17:06:53.224Z", "crowdstrike": { "ConfigStateHash": "1789338890", + "ContextTimeStamp": "2020-11-08T16:42:35.987Z", "Entitlements": "15", "TargetFileName": "/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478", "cid": "ffffffff30a3407dae27d0503611022d", @@ -10159,10 +10227,11 @@ } }, { - "@timestamp": "2020-11-08T17:07:48.323Z", + "@timestamp": "2020-11-08T17:07:48.755Z", "crowdstrike": { "ConfigStateHash": "203564169", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:07:48.323Z", "Entitlements": "15", "InContext": "0", "LocalAddressIP6": [ @@ -10249,9 +10318,10 @@ } }, { - "@timestamp": "2020-11-08T17:08:00.307Z", + "@timestamp": "2020-11-08T17:08:43.217Z", "crowdstrike": { "ConfigStateHash": "3765958535", + "ContextTimeStamp": "2020-11-08T17:08:00.307Z", "DualRequest": "0", "EffectiveTransmissionClass": "3", "Entitlements": "15", @@ -10326,8 +10396,9 @@ } }, { - "@timestamp": "2020-11-08T17:08:35.034Z", + "@timestamp": "2020-11-08T17:08:49.102Z", "crowdstrike": { + "ContextTimeStamp": "2020-11-08T17:08:35.034Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "VolumeDeviceCharacteristics": "131072", @@ -10410,10 +10481,11 @@ } }, { - "@timestamp": "2020-11-08T17:05:27.011Z", + "@timestamp": "2020-11-08T17:05:28.936Z", "crowdstrike": { "ConfigStateHash": "1789338890", "ConnectionFlags": "0", + "ContextTimeStamp": "2020-11-08T17:05:27.011Z", "Entitlements": "15", "InContext": "0", "LocalAddressIP4": [ @@ -10501,10 +10573,11 @@ } }, { - "@timestamp": "2020-11-08T17:06:25.108Z", + "@timestamp": "2020-11-08T17:06:24.068Z", "crowdstrike": { "AuthenticationId": "999", "ConfigStateHash": "3338885535", + "ContextTimeStamp": "2020-11-08T17:06:25.108Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "InterfaceGuid": "367ABB81-9844-35F1-AD32-98F038001003", @@ -10589,9 +10662,10 @@ } }, { - "@timestamp": "2020-11-08T17:08:19.018Z", + "@timestamp": "2020-11-08T17:08:22.512Z", "crowdstrike": { "ConfigStateHash": "3338885535", + "ContextTimeStamp": "2020-11-08T17:08:19.018Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "TargetThreadId": "24238019995551", @@ -10661,10 +10735,11 @@ } }, { - "@timestamp": "2020-11-08T17:07:07.625Z", + "@timestamp": "2020-11-08T17:07:44.313Z", "crowdstrike": { "AuthenticationId": "3443175", "ConfigStateHash": "3338885535", + "ContextTimeStamp": "2020-11-08T17:07:07.625Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "FileEcpBitmask": "0", @@ -11019,10 +11094,11 @@ } }, { - "@timestamp": "2020-11-08T15:57:10.593Z", + "@timestamp": "2020-11-08T15:57:11.298Z", "crowdstrike": { "AuthenticationId": "703298", "ConfigStateHash": "2642284486", + "ContextTimeStamp": "2020-11-08T15:57:10.593Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "FileEcpBitmask": "0", @@ -11110,9 +11186,10 @@ } }, { - "@timestamp": "2020-11-08T15:54:59.164Z", + "@timestamp": "2020-11-08T15:54:59.812Z", "crowdstrike": { "ConfigStateHash": "666346415", + "ContextTimeStamp": "2020-11-08T15:54:59.164Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "VolumeName": "\\Device\\HarddiskVolume27", @@ -11184,9 +11261,10 @@ } }, { - "@timestamp": "2020-11-08T15:58:18.548Z", + "@timestamp": "2020-11-08T15:57:20.625Z", "crowdstrike": { "ConfigStateHash": "3429017943", + "ContextTimeStamp": "2020-11-08T15:58:18.548Z", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d", "name": "FirewallDisabledMacV1" @@ -11254,7 +11332,7 @@ } }, { - "@timestamp": "2021-11-09T05:47:19.952Z", + "@timestamp": "2021-11-09T09:00:27.353Z", "crowdstrike": { "AgentLoadFlags": "0", "AgentLocalTime": "2021-11-09T05:47:19.952Z", @@ -11269,14 +11347,13 @@ "ProductType": "1", "SystemManufacturer": "Apple Inc.", "SystemProductName": "MacBookPro16,2", - "Time": "2021-11-09T09:00:27.353Z", "cid": "ffffffff30a3407dae27d0503611022ff" }, "ecs": { "version": "8.11.0" }, "event": { - "created": "2021-11-09T05:47:19.952Z", + "created": "2021-11-09T09:00:27.353Z", "original": "{\"AgentLoadFlags\":\"0\",\"AgentLocalTime\":\"1636436839.9529998\",\"AgentTimeOffset\":\"125.319\",\"AgentVersion\":\"6.31.14404.0\",\"BiosManufacturer\":\"Apple Inc.\",\"BiosVersion\":\"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)\",\"ChassisType\":\"Laptop\",\"City\":\"San Francisco\",\"ComputerName\":\"mac1\",\"ConfigBuild\":\"1007.4.0014404.1\",\"ConfigIDBuild\":\"14404\",\"Continent\":\"North America\",\"Country\":\"United States\",\"FalconGroupingTags\":\"-\",\"FirstSeen\":\"1625682391.0\",\"HostHiddenStatus\":\"Visible\",\"MachineDomain\":\"none\",\"OU\":\"none\",\"PointerSize\":\"none\",\"ProductType\":\"1\",\"SensorGroupingTags\":\"-\",\"ServicePackMajor\":\"none\",\"SiteName\":\"none\",\"SystemManufacturer\":\"Apple Inc.\",\"SystemProductName\":\"MacBookPro16,2\",\"Time\":\"1636448427.3539999\",\"Timezone\":\"America/Los_Angeles\",\"Version\":\"Big Sur (11.0)\",\"aid\":\"fffffffffffaaaaaaaaabbbbbbbb\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022ff\",\"event_platform\":\"Mac\"}" }, "host": { @@ -11540,9 +11617,10 @@ } }, { - "@timestamp": "2022-12-03T18:43:39.000Z", + "@timestamp": "2020-11-08T15:54:59.812Z", "crowdstrike": { "ConfigStateHash": "666346415", + "ContextTimeStamp": "2022-12-03T18:43:39.000Z", "EffectiveTransmissionClass": "3", "EndTime": "2022-12-03T18:42:00.000Z", "Entitlements": "15", @@ -11780,10 +11858,11 @@ } }, { - "@timestamp": "2020-11-08T15:57:10.593Z", + "@timestamp": "2020-11-08T15:57:11.298Z", "crowdstrike": { "AuthenticationId": "703298", "ConfigStateHash": "2642284486", + "ContextTimeStamp": "2020-11-08T15:57:10.593Z", "EffectiveTransmissionClass": "3", "Entitlements": "15", "FileEcpBitmask": "0", @@ -11872,10 +11951,11 @@ } }, { - "@timestamp": "2024-05-07T10:46:39.690Z", + "@timestamp": "2024-05-07T10:46:39.943Z", "crowdstrike": { "AuthenticationId": "111112312312312321", "ConfigStateHash": "821711964", + "ContextTimeStamp": "2024-05-07T10:46:39.690Z", "EffectiveTransmissionClass": "2", "Entitlements": "15", "LogonTime": "2024-05-07T10:46:39.631Z", diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml b/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml index 4ba8520ccbf..7c777e927d5 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml @@ -12,4 +12,4 @@ data_stream: queue_url: "{{TF_OUTPUT_queue_url}}" preserve_original_event: true assert: - hit_count: 125 + hit_count: 124 diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-keep-metadata-config.yml b/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-keep-metadata-config.yml index 28dcf347894..8b28f5788d4 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-keep-metadata-config.yml +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-keep-metadata-config.yml @@ -13,4 +13,4 @@ data_stream: preserve_original_event: true keep_metadata: true assert: - hit_count: 131 + hit_count: 130 diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index 8e8afa51154..46658726382 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -61,9 +61,9 @@ processors: ignore_failure: true if: ctx.event?.created == null - date: - tag: date-agent-local-time - description: Parse timestamp from event. - field: crowdstrike.AgentLocalTime + tag: date-Time + description: Parse Time from event. + field: crowdstrike.Time target_field: event.created formats: - ISO8601 @@ -84,7 +84,7 @@ processors: tag: set-timestamp field: "@timestamp" copy_from: event.created - if: ctx.event?.created != null && (ctx.crowdstrike?.ContextTimeStamp == null || ctx.crowdstrike?.ContextTimeStamp == "") + if: ctx.event?.created != null - set: tag: set-timestamp-ingest field: "@timestamp" @@ -107,13 +107,6 @@ processors: if (timestamp > 0x0100000000000000L) { // See https://devblogs.microsoft.com/oldnewthing/20030905-02/?p=42653 for constant. ctx.crowdstrike.ContextTimeStamp = (timestamp / 10000000) - 11644473600L; } - - date: - tag: date-context-timestamp - if: (ctx.crowdstrike?.ContextTimeStamp != null && ctx.crowdstrike?.ContextTimeStamp != "") - field: crowdstrike.ContextTimeStamp - formats: - - UNIX - ignore_failure: true - script: tag: date-start-timestamp-from-nt description: Conditionally convert StartTime from Windows NT timestamp format to UNIX. @@ -2437,11 +2430,11 @@ processors: - UNIX if: ctx.crowdstrike?.FirstSeen != null && ctx.crowdstrike?.FirstSeen != "" - date: - field: crowdstrike.Time - target_field: crowdstrike.Time + field: crowdstrike.ContextTimeStamp + target_field: crowdstrike.ContextTimeStamp formats: - UNIX - if: ctx.crowdstrike?.Time != null && ctx.crowdstrike?.Time != "" + if: ctx.crowdstrike?.ContextTimeStamp != null && ctx.crowdstrike?.ContextTimeStamp != "" - date: field: crowdstrike.BiosReleaseDate target_field: crowdstrike.BiosReleaseDate @@ -2513,7 +2506,7 @@ processors: - _temp - crowdstrike.timestamp - crowdstrike._time - - crowdstrike.ContextTimeStamp + - crowdstrike.Time - crowdstrike.CreationTimeStamp - crowdstrike.DomainName - crowdstrike.ConnectionDirection diff --git a/packages/crowdstrike/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/data_stream/fdr/fields/fields.yml index 447764287c9..9f93c8a7736 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/fields.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/fields.yml @@ -57,6 +57,9 @@ type: keyword - name: ContextProcessId type: keyword + - name: ContextTimeStamp + type: date + description: System local time of event creation. - name: CreateProcessCount type: long - name: CreateProcessType @@ -422,8 +425,6 @@ type: keyword - name: Technique type: keyword - - name: Time - type: date - name: Timeout type: long - name: TokenType diff --git a/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs index f85d0e35e6c..b22032157b1 100644 --- a/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs +++ b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs @@ -26,38 +26,33 @@ state: redact: fields: ~ program: | - state.with( - ( - !state.want_more ? - request( - "GET", - state.url.trim_right("/") + "/devices/queries/devices/v1?" + { - "sort": ["modified_timestamp.asc"], - "offset": ["0"], - "limit": [string(state.batch_size)], - "filter": ['modified_timestamp:>"'+state.?cursor.last_timestamp.orValue(string(now - duration(state.initial_interval)))+'"'], - }.format_query() - ) - : - request( - "GET", - state.url.trim_right("/") + "/devices/queries/devices/v1?" + { - "sort": ["modified_timestamp.asc"], - "offset": [string(state.offset)], - "limit": [string(state.batch_size)], - ?"filter": has(state.?cursor.first_timestamp) ? optional.of(['modified_timestamp:>"'+state.cursor.first_timestamp+'"']) : optional.none(), - }.format_query() - ) - ).do_request().as(get_resp, get_resp.StatusCode == 200 ? - bytes(get_resp.Body).decode_json().as(body, { - ?"resources": has(body.resources) && body.resources.size() > 0 ? optional.of(body.resources) : optional.none(), - "events": [], - "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), - "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? - int(state.offset) + body.resources.size() + ( + state.want_more ? + state.?page.start + : + optional.of(state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339))) + ).as(filter, state.with( + get_request( + state.url.trim_right("/") + "/devices/queries/devices/v1?" + { + "sort": ["modified_timestamp.asc"], + "offset": [string(state.offset)], + "limit": [string(state.batch_size)], + ?"filter": filter.hasValue() ? + optional.of(['modified_timestamp:>"'+filter.value()+'"']) : - 0, - }) + optional.none(), + }.format_query() + ).do_request().as(get_resp, get_resp.StatusCode == 200 ? + bytes(get_resp.Body).decode_json().as(body, + ( + (int(state.offset) + body.resources.size()) < body.meta.pagination.total + ).as(want_more, { + ?"resources": body.resources.size() > 0 ? optional.of(body.resources) : optional.none(), + "events": [], + "offset": want_more ? int(state.offset) + body.resources.size() : 0, + "want_more": want_more, + }) + ) : { "events": { @@ -87,18 +82,16 @@ program: | "message": e.encode_json(), }), "cursor": { - ?"last_timestamp": ( - has(inner_body.resources) && inner_body.resources.size() > 0 ? - optional.of(inner_body.resources.map(e, e.modified_timestamp).max()) - : - state.?cursor.last_timestamp - ), - "first_timestamp": ( - state.?cursor.first_timestamp.orValue(null) != null ? - (state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp) - : - string(now - duration(state.initial_interval)) - ), + ?"last_timestamp": has(inner_body.resources) && inner_body.resources.size() > 0 ? + optional.of(inner_body.resources.map(e, timestamp(e.modified_timestamp)).max().format(time_layout.RFC3339)) + : + state.?cursor.last_timestamp + }, + "page": { + "start": has(state.?page.start) ? + (state.want_more ? state.page.start : state.cursor.last_timestamp) + : + now.format(time_layout.RFC3339) }, }) : @@ -119,7 +112,7 @@ program: | } ) ) - ) + )) tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/crowdstrike/data_stream/host/sample_event.json b/packages/crowdstrike/data_stream/host/sample_event.json index 45a14423a50..187199a7af9 100644 --- a/packages/crowdstrike/data_stream/host/sample_event.json +++ b/packages/crowdstrike/data_stream/host/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-11-07T10:26:53.000Z", "agent": { - "ephemeral_id": "5805cb9f-4413-4da3-8da7-b85cd99c2961", - "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "ephemeral_id": "0a68d2e5-292d-47a5-9b2f-3b34992483c2", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "crowdstrike": { "host": { @@ -147,7 +147,7 @@ }, "data_stream": { "dataset": "crowdstrike.host", - "namespace": "ep", + "namespace": "42315", "type": "logs" }, "device": { @@ -157,9 +157,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "snapshot": false, - "version": "8.11.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -167,7 +167,7 @@ "host" ], "dataset": "crowdstrike.host", - "ingested": "2024-01-22T13:24:41Z", + "ingested": "2024-08-08T07:14:40Z", "kind": "event", "original": "{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-11-07T04:51:16.678Z\",\"agent_version\":\"7.05.17603.0\",\"bios_manufacturer\":\"ABCInc.\",\"bios_version\":\"2020.0.1.0.0(iBridge:22.11.000.0.0,0)\",\"chassis_type\":\"9\",\"chassis_type_desc\":\"Laptop\",\"cid\":\"92012896127c4948236ba7601b886b0\",\"config_id_base\":\"6594763\",\"config_id_build\":\"1703\",\"config_id_platform\":\"4\",\"connection_ip\":\"81.2.69.192\",\"cpu_signature\":\"460517\",\"device_id\":\"3114433dbce478ca48d9a828b9b34be\",\"device_policies\":{\"device_control\":{\"applied\":true,\"applied_date\":\"2023-06-20T08:45:26.341093915Z\",\"assigned_date\":\"2023-06-20T08:43:47.736146738Z\",\"policy_id\":\"2f88daf0177f467dae69262a5ce71775\",\"policy_type\":\"device-control\"},\"firewall\":{\"applied\":true,\"applied_date\":\"2023-09-11T10:33:44.174488832Z\",\"assigned_date\":\"2023-09-11T10:32:47.853976945Z\",\"policy_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\",\"policy_type\":\"firewall\",\"rule_set_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\"},\"global_config\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.515775409Z\",\"assigned_date\":\"2023-11-07T04:51:18.94671252Z\",\"policy_id\":\"7e3078b60976486cac5dc998808d9135\",\"policy_type\":\"globalconfig\",\"settings_hash\":\"f01def74\"},\"prevention\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"},\"remote_response\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.01735027Z\",\"assigned_date\":\"2023-06-08T10:03:49.505163572Z\",\"policy_id\":\"dabb4def99034f11b9b3d52271584c9f\",\"policy_type\":\"remote-response\",\"settings_hash\":\"8a548e5e\"},\"sensor_update\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.659583066Z\",\"assigned_date\":\"2023-11-07T04:47:43.342175341Z\",\"policy_id\":\"64bfa2bbcd4e46da92a66b107933da11\",\"policy_type\":\"sensor-update\",\"settings_hash\":\"tagged|18;101\",\"uninstall_protection\":\"ENABLED\"}},\"external_ip\":\"81.2.69.192\",\"first_seen\":\"2023-06-08T10:00:19Z\",\"group_hash\":\"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77\",\"groups\":[\"182388a8dbea4c44b5e019cfd32c2695\"],\"hostname\":\"CLM101-131.local\",\"kernel_version\":\"22.6.0\",\"last_seen\":\"2023-11-07T10:25:24Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"14-7d-da-ad-ac-71\",\"machine_domain\":\"SYS\",\"major_version\":\"22\",\"meta\":{\"version\":\"6002\",\"version_string\":\"7:43570272778\"},\"minor_version\":\"6\",\"modified_timestamp\":\"2023-11-07T10:26:53Z\",\"os_build\":\"22G120\",\"os_version\":\"Ventura(13)\",\"platform_id\":\"1\",\"platform_name\":\"Mac\",\"policies\":[{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"}],\"product_type_desc\":\"Workstation\",\"provision_status\":\"Provisioned\",\"reduced_functionality_mode\":\"no\",\"serial_number\":\"FVFDH73HMNHX\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"ABCInc.\",\"system_product_name\":\"Air,1\",\"tags\":[\"tags\"]}", "type": [ diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index fbb790c0e2a..b90683ad833 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -51,11 +51,11 @@ An example event for `alert` looks as following: { "@timestamp": "2023-11-03T18:00:22.328Z", "agent": { - "ephemeral_id": "532c45c9-f01e-40e0-9406-8997b9a2b29c", - "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "ephemeral_id": "704de05c-668d-431b-8483-ed43ec6a5942", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "crowdstrike": { "alert": { @@ -270,7 +270,7 @@ An example event for `alert` looks as following: }, "data_stream": { "dataset": "crowdstrike.alert", - "namespace": "ep", + "namespace": "15119", "type": "logs" }, "device": { @@ -280,15 +280,15 @@ An example event for `alert` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "crowdstrike.alert", "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", - "ingested": "2024-02-21T09:17:46Z", + "ingested": "2024-08-08T07:13:48Z", "kind": "alert", "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cW`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbC`uNjL#gW\\u0026=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06`/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}", "severity": 30 @@ -362,9 +362,10 @@ An example event for `alert` looks as following: "crowdstrike-alert" ], "threat": { + "framework": "CrowdStrike Falcon Detections Framework", "tactic": { "id": [ - "TA0004" + "CSTA0004" ], "name": [ "MachineLearning" @@ -372,7 +373,7 @@ An example event for `alert` looks as following: }, "technique": { "id": [ - "T0000" + "CST0000" ], "name": [ "Adware/PUP" @@ -1103,6 +1104,7 @@ and/or `session_token`. | crowdstrike.ConnectType | | keyword | | crowdstrike.ConnectionFlags | | keyword | | crowdstrike.ContextProcessId | | keyword | +| crowdstrike.ContextTimeStamp | System local time of event creation. | date | | crowdstrike.CpuClockSpeed | | keyword | | crowdstrike.CpuFeaturesMask | | keyword | | crowdstrike.CpuProcessorName | | keyword | @@ -1361,7 +1363,6 @@ and/or `session_token`. | crowdstrike.TargetFileName | | keyword | | crowdstrike.TargetThreadId | | keyword | | crowdstrike.Technique | | keyword | -| crowdstrike.Time | | date | | crowdstrike.Timeout | | long | | crowdstrike.TokenType | | keyword | | crowdstrike.USN | | keyword | @@ -1668,11 +1669,11 @@ An example event for `host` looks as following: { "@timestamp": "2023-11-07T10:26:53.000Z", "agent": { - "ephemeral_id": "5805cb9f-4413-4da3-8da7-b85cd99c2961", - "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "ephemeral_id": "0a68d2e5-292d-47a5-9b2f-3b34992483c2", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "crowdstrike": { "host": { @@ -1814,7 +1815,7 @@ An example event for `host` looks as following: }, "data_stream": { "dataset": "crowdstrike.host", - "namespace": "ep", + "namespace": "42315", "type": "logs" }, "device": { @@ -1824,9 +1825,9 @@ An example event for `host` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "id": "8f7b87ad-2943-4c25-88be-4eaac013beb6", "snapshot": false, - "version": "8.11.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -1834,7 +1835,7 @@ An example event for `host` looks as following: "host" ], "dataset": "crowdstrike.host", - "ingested": "2024-01-22T13:24:41Z", + "ingested": "2024-08-08T07:14:40Z", "kind": "event", "original": "{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-11-07T04:51:16.678Z\",\"agent_version\":\"7.05.17603.0\",\"bios_manufacturer\":\"ABCInc.\",\"bios_version\":\"2020.0.1.0.0(iBridge:22.11.000.0.0,0)\",\"chassis_type\":\"9\",\"chassis_type_desc\":\"Laptop\",\"cid\":\"92012896127c4948236ba7601b886b0\",\"config_id_base\":\"6594763\",\"config_id_build\":\"1703\",\"config_id_platform\":\"4\",\"connection_ip\":\"81.2.69.192\",\"cpu_signature\":\"460517\",\"device_id\":\"3114433dbce478ca48d9a828b9b34be\",\"device_policies\":{\"device_control\":{\"applied\":true,\"applied_date\":\"2023-06-20T08:45:26.341093915Z\",\"assigned_date\":\"2023-06-20T08:43:47.736146738Z\",\"policy_id\":\"2f88daf0177f467dae69262a5ce71775\",\"policy_type\":\"device-control\"},\"firewall\":{\"applied\":true,\"applied_date\":\"2023-09-11T10:33:44.174488832Z\",\"assigned_date\":\"2023-09-11T10:32:47.853976945Z\",\"policy_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\",\"policy_type\":\"firewall\",\"rule_set_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\"},\"global_config\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.515775409Z\",\"assigned_date\":\"2023-11-07T04:51:18.94671252Z\",\"policy_id\":\"7e3078b60976486cac5dc998808d9135\",\"policy_type\":\"globalconfig\",\"settings_hash\":\"f01def74\"},\"prevention\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"},\"remote_response\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.01735027Z\",\"assigned_date\":\"2023-06-08T10:03:49.505163572Z\",\"policy_id\":\"dabb4def99034f11b9b3d52271584c9f\",\"policy_type\":\"remote-response\",\"settings_hash\":\"8a548e5e\"},\"sensor_update\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.659583066Z\",\"assigned_date\":\"2023-11-07T04:47:43.342175341Z\",\"policy_id\":\"64bfa2bbcd4e46da92a66b107933da11\",\"policy_type\":\"sensor-update\",\"settings_hash\":\"tagged|18;101\",\"uninstall_protection\":\"ENABLED\"}},\"external_ip\":\"81.2.69.192\",\"first_seen\":\"2023-06-08T10:00:19Z\",\"group_hash\":\"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77\",\"groups\":[\"182388a8dbea4c44b5e019cfd32c2695\"],\"hostname\":\"CLM101-131.local\",\"kernel_version\":\"22.6.0\",\"last_seen\":\"2023-11-07T10:25:24Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"14-7d-da-ad-ac-71\",\"machine_domain\":\"SYS\",\"major_version\":\"22\",\"meta\":{\"version\":\"6002\",\"version_string\":\"7:43570272778\"},\"minor_version\":\"6\",\"modified_timestamp\":\"2023-11-07T10:26:53Z\",\"os_build\":\"22G120\",\"os_version\":\"Ventura(13)\",\"platform_id\":\"1\",\"platform_name\":\"Mac\",\"policies\":[{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"}],\"product_type_desc\":\"Workstation\",\"provision_status\":\"Provisioned\",\"reduced_functionality_mode\":\"no\",\"serial_number\":\"FVFDH73HMNHX\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"ABCInc.\",\"system_product_name\":\"Air,1\",\"tags\":[\"tags\"]}", "type": [ diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 989018fe46a..171a1fea09d 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.39.1" +version: "1.39.3" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/elastic_agent/changelog.yml b/packages/elastic_agent/changelog.yml index 89f32b0f7f5..0b56c3f95db 100644 --- a/packages/elastic_agent/changelog.yml +++ b/packages/elastic_agent/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.3" + changes: + - description: Restore Agent errors visualisation to Elastic-Agent agent info dashboard + type: bugfix + link: "https://github.com/elastic/integrations/pull/10773" - version: "2.0.2" changes: - description: Restore Agent errors visualisation diff --git a/packages/elastic_agent/kibana/dashboard/elastic_agent-0600ffa0-6b5e-11ed-98de-67bdecd21824.json b/packages/elastic_agent/kibana/dashboard/elastic_agent-0600ffa0-6b5e-11ed-98de-67bdecd21824.json index c18925decbf..320728d2f68 100644 --- a/packages/elastic_agent/kibana/dashboard/elastic_agent-0600ffa0-6b5e-11ed-98de-67bdecd21824.json +++ b/packages/elastic_agent/kibana/dashboard/elastic_agent-0600ffa0-6b5e-11ed-98de-67bdecd21824.json @@ -105,148 +105,6 @@ "title": "Table of Contents", "type": "visualization" }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d2a77691-eb30-480e-b021-e323a1f67f07", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2edb6cc-f065-48dc-acc7-0c42daded559", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "d2a77691-eb30-480e-b021-e323a1f67f07": { - "columnOrder": [ - "f82bd006-d5e8-42cf-975b-8c49ed8de2fe", - "a9b13926-7e9f-4786-9372-af9a5aad1e4e" - ], - "columns": { - "a9b13926-7e9f-4786-9372-af9a5aad1e4e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Agents", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "agent.name" - }, - "f82bd006-d5e8-42cf-975b-8c49ed8de2fe": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Versions", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "a9b13926-7e9f-4786-9372-af9a5aad1e4e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 9 - }, - "scale": "ordinal", - "sourceField": "agent.version" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b2edb6cc-f065-48dc-acc7-0c42daded559", - "key": "data_stream.dataset", - "negate": true, - "params": { - "query": "apm.*" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "apm.*" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "d2a77691-eb30-480e-b021-e323a1f67f07", - "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "a9b13926-7e9f-4786-9372-af9a5aad1e4e" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "f82bd006-d5e8-42cf-975b-8c49ed8de2fe" - ] - } - ], - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "36dd783f-4b32-41db-8d33-e2fb7b4d9365", - "w": 18, - "x": 30, - "y": 0 - }, - "panelIndex": "36dd783f-4b32-41db-8d33-e2fb7b4d9365", - "title": "[Elastic Agent] Agent Versions", - "type": "lens" - }, { "embeddableConfig": { "attributes": { @@ -435,12 +293,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-2b14e40b-0f07-4713-b7fb-96b4df2c93aa", + "name": "indexpattern-datasource-layer-d2a77691-eb30-480e-b021-e323a1f67f07", "type": "index-pattern" }, { "id": "logs-*", - "name": "72b95764-5495-4c06-b72e-7d80a4f380cc", + "name": "b2edb6cc-f065-48dc-acc7-0c42daded559", "type": "index-pattern" } ], @@ -449,56 +307,59 @@ "datasourceStates": { "formBased": { "layers": { - "2b14e40b-0f07-4713-b7fb-96b4df2c93aa": { + "d2a77691-eb30-480e-b021-e323a1f67f07": { "columnOrder": [ - "0af06ae8-c199-4684-a132-a1a3d42acaec", - "faf97258-224e-4050-9c05-3c4bb647a9f0" + "f82bd006-d5e8-42cf-975b-8c49ed8de2fe", + "a9b13926-7e9f-4786-9372-af9a5aad1e4e" ], "columns": { - "0af06ae8-c199-4684-a132-a1a3d42acaec": { + "a9b13926-7e9f-4786-9372-af9a5aad1e4e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Agents", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "agent.name" + }, + "f82bd006-d5e8-42cf-975b-8c49ed8de2fe": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Agents", + "label": "Versions", "operationType": "terms", "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "faf97258-224e-4050-9c05-3c4bb647a9f0", + "columnId": "a9b13926-7e9f-4786-9372-af9a5aad1e4e", "type": "column" }, - "orderDirection": "asc", - "otherBucket": false, + "orderDirection": "desc", + "otherBucket": true, "parentFormat": { "id": "terms" }, - "size": 10 + "secondaryFields": [], + "size": 9 }, "scale": "ordinal", - "sourceField": "agent.name" - }, - "faf97258-224e-4050-9c05-3c4bb647a9f0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Integrations", - "operationType": "unique_count", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "data_stream.dataset" + "sourceField": "agent.version" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "sampling": 1 } } + }, + "textBased": { + "layers": {} } }, "filters": [ @@ -509,17 +370,17 @@ "meta": { "alias": null, "disabled": false, - "index": "72b95764-5495-4c06-b72e-7d80a4f380cc", + "index": "b2edb6cc-f065-48dc-acc7-0c42daded559", "key": "data_stream.dataset", "negate": true, "params": { - "query": "elastic_agent*" + "query": "apm.*" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "elastic_agent*" + "data_stream.dataset": "apm.*" } } } @@ -533,16 +394,16 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "2b14e40b-0f07-4713-b7fb-96b4df2c93aa", + "layerId": "d2a77691-eb30-480e-b021-e323a1f67f07", "layerType": "data", "legendDisplay": "show", "metrics": [ - "faf97258-224e-4050-9c05-3c4bb647a9f0" + "a9b13926-7e9f-4786-9372-af9a5aad1e4e" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "0af06ae8-c199-4684-a132-a1a3d42acaec" + "f82bd006-d5e8-42cf-975b-8c49ed8de2fe" ] } ], @@ -553,38 +414,18 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": { - "dynamicActions": { - "events": [ - { - "action": { - "config": { - "openInNewTab": false, - "useCurrentDateRange": true, - "useCurrentFilters": false - }, - "factoryId": "DASHBOARD_TO_DASHBOARD_DRILLDOWN", - "name": "Integrations Dashboard" - }, - "eventId": "f2edc3a8-5d50-4649-bb16-536aa103ed58", - "triggers": [ - "FILTER_TRIGGER" - ] - } - ] - } - }, + "enhancements": {}, "hidePanelTitles": false }, "gridData": { "h": 14, - "i": "ea70f89b-accb-4972-9119-b04d1afae410", + "i": "36dd783f-4b32-41db-8d33-e2fb7b4d9365", "w": 18, "x": 30, - "y": 14 + "y": 0 }, - "panelIndex": "ea70f89b-accb-4972-9119-b04d1afae410", - "title": "[Elastic Agent] Integrations per Agent", + "panelIndex": "36dd783f-4b32-41db-8d33-e2fb7b4d9365", + "title": "[Elastic Agent] Agent Versions", "type": "lens" }, { @@ -818,6 +659,275 @@ "panelIndex": "5848c519-791c-45e2-b350-0740a12c3ace", "title": "[Elastic Agent] Agents with Errors", "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2b14e40b-0f07-4713-b7fb-96b4df2c93aa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "72b95764-5495-4c06-b72e-7d80a4f380cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2b14e40b-0f07-4713-b7fb-96b4df2c93aa": { + "columnOrder": [ + "0af06ae8-c199-4684-a132-a1a3d42acaec", + "faf97258-224e-4050-9c05-3c4bb647a9f0" + ], + "columns": { + "0af06ae8-c199-4684-a132-a1a3d42acaec": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Agents", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "faf97258-224e-4050-9c05-3c4bb647a9f0", + "type": "column" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "agent.name" + }, + "faf97258-224e-4050-9c05-3c4bb647a9f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Integrations", + "operationType": "unique_count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "data_stream.dataset" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "72b95764-5495-4c06-b72e-7d80a4f380cc", + "key": "data_stream.dataset", + "negate": true, + "params": { + "query": "elastic_agent*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "elastic_agent*" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "2b14e40b-0f07-4713-b7fb-96b4df2c93aa", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "faf97258-224e-4050-9c05-3c4bb647a9f0" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0af06ae8-c199-4684-a132-a1a3d42acaec" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [ + { + "action": { + "config": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": false + }, + "factoryId": "DASHBOARD_TO_DASHBOARD_DRILLDOWN", + "name": "Integrations Dashboard" + }, + "eventId": "f2edc3a8-5d50-4649-bb16-536aa103ed58", + "triggers": [ + "FILTER_TRIGGER" + ] + } + ] + } + }, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "ea70f89b-accb-4972-9119-b04d1afae410", + "w": 18, + "x": 30, + "y": 14 + }, + "panelIndex": "ea70f89b-accb-4972-9119-b04d1afae410", + "title": "[Elastic Agent] Integrations per Agent", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "agent.name", + "message" + ], + "grid": { + "columns": { + "agent.name": { + "width": 125 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "elastic_agent*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "elastic_agent*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "log.level", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "log.level", + "negate": false, + "params": { + "query": "error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "log.level": "error" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "enhancements": {} + }, + "gridData": { + "h": 21, + "i": "c5caa206-df9f-430b-8ff2-7b29d29b3f06", + "w": 40, + "x": 8, + "y": 28 + }, + "panelIndex": "c5caa206-df9f-430b-8ff2-7b29d29b3f06", + "title": "Elastic-Agent errors", + "type": "search" } ], "timeRestore": false, @@ -825,28 +935,33 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-07-01T19:40:41.314Z", + "created_at": "2024-08-22T12:52:05.019Z", "id": "elastic_agent-0600ffa0-6b5e-11ed-98de-67bdecd21824", - "managed": true, + "managed": false, "references": [ { "id": "logs-*", - "name": "36dd783f-4b32-41db-8d33-e2fb7b4d9365:indexpattern-datasource-layer-d2a77691-eb30-480e-b021-e323a1f67f07", + "name": "1fa17cb8-3a19-4fc7-9631-0f44ce8692b4:indexpattern-datasource-layer-299e2c43-13cd-477a-ba36-4c0f84bd32a4", "type": "index-pattern" }, { "id": "logs-*", - "name": "36dd783f-4b32-41db-8d33-e2fb7b4d9365:b2edb6cc-f065-48dc-acc7-0c42daded559", + "name": "1fa17cb8-3a19-4fc7-9631-0f44ce8692b4:ffe5b460-523c-4b2c-9403-4f6b7917c660", "type": "index-pattern" }, { "id": "logs-*", - "name": "1fa17cb8-3a19-4fc7-9631-0f44ce8692b4:indexpattern-datasource-layer-299e2c43-13cd-477a-ba36-4c0f84bd32a4", + "name": "36dd783f-4b32-41db-8d33-e2fb7b4d9365:indexpattern-datasource-layer-d2a77691-eb30-480e-b021-e323a1f67f07", "type": "index-pattern" }, { "id": "logs-*", - "name": "1fa17cb8-3a19-4fc7-9631-0f44ce8692b4:ffe5b460-523c-4b2c-9403-4f6b7917c660", + "name": "36dd783f-4b32-41db-8d33-e2fb7b4d9365:b2edb6cc-f065-48dc-acc7-0c42daded559", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5848c519-791c-45e2-b350-0740a12c3ace:indexpattern-datasource-layer-501c5bb4-5af0-46bf-99c1-e08ed2c31111", "type": "index-pattern" }, { @@ -866,13 +981,18 @@ }, { "id": "logs-*", - "name": "5848c519-791c-45e2-b350-0740a12c3ace:indexpattern-datasource-layer-501c5bb4-5af0-46bf-99c1-e08ed2c31111", + "name": "c5caa206-df9f-430b-8ff2-7b29d29b3f06:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { - "id": "elastic_agent-522c9e20-ad53-11ed-957f-f1c897630287", - "name": "9604578e-7da2-4575-923e-f15e51bca436:panel_9604578e-7da2-4575-923e-f15e51bca436", - "type": "search" + "id": "logs-*", + "name": "c5caa206-df9f-430b-8ff2-7b29d29b3f06:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5caa206-df9f-430b-8ff2-7b29d29b3f06:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" }, { "id": "logs-*", @@ -892,4 +1012,4 @@ ], "type": "dashboard", "typeMigrationVersion": "8.9.0" -} +} \ No newline at end of file diff --git a/packages/elastic_agent/kibana/dashboard/elastic_agent-1a4e7280-6b5e-11ed-98de-67bdecd21824.json b/packages/elastic_agent/kibana/dashboard/elastic_agent-1a4e7280-6b5e-11ed-98de-67bdecd21824.json index ffceb8ea047..c07a4784550 100644 --- a/packages/elastic_agent/kibana/dashboard/elastic_agent-1a4e7280-6b5e-11ed-98de-67bdecd21824.json +++ b/packages/elastic_agent/kibana/dashboard/elastic_agent-1a4e7280-6b5e-11ed-98de-67bdecd21824.json @@ -3,8 +3,39 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"4a765eb5-fe8e-4ef3-9930-ef8f832a6832\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"data_stream.dataset\",\"title\":\"Integration Name\",\"id\":\"4a765eb5-fe8e-4ef3-9930-ef8f832a6832\",\"enhancements\":{},\"selectedOptions\":[]}},\"d5126805-1e20-4c32-8c7b-a9c0afee3215\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"agent.name\",\"title\":\"Agent Name\",\"id\":\"d5126805-1e20-4c32-8c7b-a9c0afee3215\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "4a765eb5-fe8e-4ef3-9930-ef8f832a6832": { + "explicitInput": { + "enhancements": {}, + "fieldName": "data_stream.dataset", + "id": "4a765eb5-fe8e-4ef3-9930-ef8f832a6832", + "selectedOptions": [], + "title": "Integration Name" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "d5126805-1e20-4c32-8c7b-a9c0afee3215": { + "explicitInput": { + "enhancements": {}, + "fieldName": "agent.name", + "id": "d5126805-1e20-4c32-8c7b-a9c0afee3215", + "title": "Agent Name" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + } }, "description": "", "kibanaSavedObjectMeta": { @@ -451,7 +482,14 @@ "hideChart": true, "isTextBasedQuery": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.kind: pipeline_error and error.message : * \"}}" + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.kind: pipeline_error and error.message : * " + } + } }, "references": [ { @@ -488,7 +526,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-12-11T11:37:02.295Z", + "created_at": "2024-08-22T12:35:00.624Z", "id": "elastic_agent-1a4e7280-6b5e-11ed-98de-67bdecd21824", "managed": true, "references": [ diff --git a/packages/elastic_agent/manifest.yml b/packages/elastic_agent/manifest.yml index f8e54d43031..5ce698f063f 100644 --- a/packages/elastic_agent/manifest.yml +++ b/packages/elastic_agent/manifest.yml @@ -1,6 +1,6 @@ name: elastic_agent title: Elastic Agent -version: 2.0.2 +version: 2.0.3 description: Collect logs and metrics from Elastic Agents. type: integration format_version: 3.1.4 diff --git a/packages/elastic_agent/validation.yml b/packages/elastic_agent/validation.yml index 99999428b3f..bcc8f74ac3a 100644 --- a/packages/elastic_agent/validation.yml +++ b/packages/elastic_agent/validation.yml @@ -1,4 +1,3 @@ errors: exclude_checks: - SVR00002 - - SVR00004 diff --git a/packages/entityanalytics_okta/changelog.yml b/packages/entityanalytics_okta/changelog.yml index f40e7c26f7d..72f61baa5ae 100644 --- a/packages/entityanalytics_okta/changelog.yml +++ b/packages/entityanalytics_okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.0" + changes: + - description: Add support for request trace logging. + type: enhancement + link: https://github.com/elastic/integrations/pull/10764 - version: "1.3.0" changes: - description: Record whether a user's credentials include a recovery question. diff --git a/packages/entityanalytics_okta/data_stream/user/_dev/test/system/test-default-config.yml b/packages/entityanalytics_okta/data_stream/user/_dev/test/system/test-default-config.yml index 48e16b7c80d..8db4e54f646 100644 --- a/packages/entityanalytics_okta/data_stream/user/_dev/test/system/test-default-config.yml +++ b/packages/entityanalytics_okta/data_stream/user/_dev/test/system/test-default-config.yml @@ -5,6 +5,7 @@ data_stream: okta_domain: trial-xxxxxxx-admin.okta.com okta_token: xxxx preserve_duplicate_custom_fields: true + enable_request_tracer: true ssl: | certificate_authorities: - | diff --git a/packages/entityanalytics_okta/data_stream/user/agent/stream/entity-analytics.yml.hbs b/packages/entityanalytics_okta/data_stream/user/agent/stream/entity-analytics.yml.hbs index 435401ea7e0..ef98cb59e2b 100644 --- a/packages/entityanalytics_okta/data_stream/user/agent/stream/entity-analytics.yml.hbs +++ b/packages/entityanalytics_okta/data_stream/user/agent/stream/entity-analytics.yml.hbs @@ -1,4 +1,8 @@ provider: okta +{{#if enable_request_tracer}} +tracer.filename: "../../logs/okta/http-request-trace-*.ndjson" +tracer.maxbackups: 5 +{{/if}} {{#if id}} id: {{id}} {{/if}} diff --git a/packages/entityanalytics_okta/data_stream/user/manifest.yml b/packages/entityanalytics_okta/data_stream/user/manifest.yml index e57abfa0c76..bd36061a3c5 100644 --- a/packages/entityanalytics_okta/data_stream/user/manifest.yml +++ b/packages/entityanalytics_okta/data_stream/user/manifest.yml @@ -103,6 +103,13 @@ streams: # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk # sxSmbIUfc2SGJGCJD4I= # -----END CERTIFICATE----- + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. - name: tags type: text title: Tags diff --git a/packages/entityanalytics_okta/manifest.yml b/packages/entityanalytics_okta/manifest.yml index 3e36b795595..56e2727f69b 100644 --- a/packages/entityanalytics_okta/manifest.yml +++ b/packages/entityanalytics_okta/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: entityanalytics_okta title: Okta Entity Analytics -version: "1.3.0" +version: "1.4.0" description: "Collect User Identities from Okta with Elastic Agent." type: integration categories: - security conditions: kibana: - version: "^8.13.0" + version: "^8.15.0" elastic: subscription: "basic" screenshots: diff --git a/packages/fortinet_fortigate/changelog.yml b/packages/fortinet_fortigate/changelog.yml index 36d60512156..a42b2501440 100644 --- a/packages/fortinet_fortigate/changelog.yml +++ b/packages/fortinet_fortigate/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.6" + changes: + - description: Fix test data + type: bugfix + link: https://github.com/elastic/integrations/pull/10865 - version: "1.25.5" changes: - description: Fix handling alternative logs for Administrator logins diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log index 22846b2c458..80927ba6af8 100644 --- a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log +++ b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log @@ -37,7 +37,7 @@ date=2020-09-28 time=15:36:26 eventtime=1601332560405228924 tz="-0700" logid="01 date=2020-09-28 time=15:36:26 eventtime=1601332560336851635 tz="-0700" logid="0114032601" type="event" subtype="switch-controller" level="information" vd="vdom1" logdesc="Switch-Controller discovered" user="daemon_admin" ui="cmdbsvr" sn="S248EPTF18001384" name="S248EPTF18001384" msg="S248EPTF18001384 Discovered" date=2022-02-02 time=15:52:09 eventtime=1643845930263415066 tz="-0800" logid="0116047301" type="event" subtype="rest-api" level="information" vd="root" logdesc="REST API request success" user="admin" ui="GUI(192.168.1.69)" method="GET" path="system.usb-log" status="200" url="/api/v2/monitor/system/usb-log?vdom=root" date=2022-02-02 time=15:52:06 eventtime=1643845926774931021 tz="-0800" logid="0116047301" type="event" subtype="rest-api" level="information" vd="root" logdesc="REST API request success" user="admin" ui="GUI(192.168.1.69)" method="GET" path="license.status" status="200" url="/api/v2/monitor/license/status?vdom=root" -date=2022-02-02 time=15:52:06 eventtime=1643845926764579729 tz="-0800" logid="0116047301" type="event" subtype="rest-api" level="information" vd="root" logdesc="REST API request success" user="admin" ui="GUI(192.168.1.69)" method="GET" path="log.fortianalyzer.setting" status="200" url="/api/v2/cmdb/log.fortianalyzer/setting?vdom=root" +date=2022-02-02 time=15:52:06 eventtime=1643845926764579729 tz="-0800" logid="0116047301" type="event" subtype="rest-api" level="information" vd="root" logdesc="REST API request success" user="admin" ui="GUI(192.168.1.69)" method="GET" path="log.fortianalyzer.setting" status="200" url="/api/v2/cmdb/log_fortianalyzer/setting?vdom=root" date=2022-02-02 time=15:52:06 eventtime=1643845926762372766 tz="-0800" logid="0116047301" type="event" subtype="rest-api" level="information" vd="root" logdesc="REST API request success" user="admin" ui="GUI(192.168.1.69)" method="GET" path="system.sandbox" action="connection" status="200" url="/api/v2/monitor/system/sandbox/connection?vdom=root" date=2022-02-02 time=15:52:06 eventtime=1643845926755869998 tz="-0800" logid="0116047301" type="event" subtype="rest-api" level="information" vd="root" logdesc="REST API request success" user="admin" ui="GUI(192.168.1.69)" method="GET" path="system.firmware" status="200" url="/api/v2/monitor/system/firmware?vdom=root" date=2021-12-20 time=16:43:54 eventtime=1640047434839814226 tz="-0800" logid="0100020214" type="event" subtype="system" level="warning" vd="root" logdesc="Locally generated traffic goes to IoC location" srcip=172.16.200.2 srcport=18047 dstip=216.160.83.56 dstport=514 session_id=23563 proto=6 diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json index 961d74f51f3..b2c109f7690 100644 --- a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json +++ b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json @@ -2274,7 +2274,7 @@ "event": { "code": "0116047301", "kind": "event", - "original": "date=2022-02-02 time=15:52:06 eventtime=1643845926764579729 tz=\"-0800\" logid=\"0116047301\" type=\"event\" subtype=\"rest-api\" level=\"information\" vd=\"root\" logdesc=\"REST API request success\" user=\"admin\" ui=\"GUI(192.168.1.69)\" method=\"GET\" path=\"log.fortianalyzer.setting\" status=\"200\" url=\"/api/v2/cmdb/log.fortianalyzer/setting?vdom=root\"", + "original": "date=2022-02-02 time=15:52:06 eventtime=1643845926764579729 tz=\"-0800\" logid=\"0116047301\" type=\"event\" subtype=\"rest-api\" level=\"information\" vd=\"root\" logdesc=\"REST API request success\" user=\"admin\" ui=\"GUI(192.168.1.69)\" method=\"GET\" path=\"log.fortianalyzer.setting\" status=\"200\" url=\"/api/v2/cmdb/log_fortianalyzer/setting?vdom=root\"", "start": "2022-02-02T15:52:06.764-08:00", "timezone": "-0800" }, @@ -2314,8 +2314,7 @@ "preserve_original_event" ], "url": { - "extension": "fortianalyzer/setting", - "path": "/api/v2/cmdb/log.fortianalyzer/setting", + "path": "/api/v2/cmdb/log_fortianalyzer/setting", "query": "vdom=root" } }, diff --git a/packages/fortinet_fortigate/manifest.yml b/packages/fortinet_fortigate/manifest.yml index e9b00932ca2..5ebb22c5f86 100644 --- a/packages/fortinet_fortigate/manifest.yml +++ b/packages/fortinet_fortigate/manifest.yml @@ -1,6 +1,6 @@ name: fortinet_fortigate title: Fortinet FortiGate Firewall Logs -version: "1.25.5" +version: "1.25.6" description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/fortinet_fortiproxy/changelog.yml b/packages/fortinet_fortiproxy/changelog.yml index 5cd61e64a2f..10d9c4e3033 100644 --- a/packages/fortinet_fortiproxy/changelog.yml +++ b/packages/fortinet_fortiproxy/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.1" + changes: + - description: Fix udp_options in UDP agent file. + type: bugfix + link: https://github.com/elastic/integrations/pull/10771 - version: "0.3.0" changes: - description: Remap devname to observer.name and process url field. diff --git a/packages/fortinet_fortiproxy/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortiproxy/data_stream/log/agent/stream/udp.yml.hbs index b01c5bed53e..4e16f1c08a1 100644 --- a/packages/fortinet_fortiproxy/data_stream/log/agent/stream/udp.yml.hbs +++ b/packages/fortinet_fortiproxy/data_stream/log/agent/stream/udp.yml.hbs @@ -16,6 +16,6 @@ ssl: {{ssl}} processors: {{processors}} {{/if}} -{{#if tcp_options}} -{{tcp_options}} +{{#if udp_options}} +{{udp_options}} {{/if}} diff --git a/packages/fortinet_fortiproxy/manifest.yml b/packages/fortinet_fortiproxy/manifest.yml index 0e307236d54..cb73bd78410 100644 --- a/packages/fortinet_fortiproxy/manifest.yml +++ b/packages/fortinet_fortiproxy/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.3 name: fortinet_fortiproxy title: "Fortinet FortiProxy" -version: 0.3.0 +version: 0.3.1 description: "Collect logs from Fortinet FortiProxy with Elastic Agent." type: integration categories: diff --git a/packages/gcp_metrics/changelog.yml b/packages/gcp_metrics/changelog.yml index c5451bf8b9a..1ded0af7c03 100644 --- a/packages/gcp_metrics/changelog.yml +++ b/packages/gcp_metrics/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.2.0 + changes: + - description: Set kibana restriction to 8.15.0, where was reduced scope of the ecs_geo_point + type: enhancement + link: https://github.com/elastic/integrations/pull/10665 - version: 0.1.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/gcp_metrics/manifest.yml b/packages/gcp_metrics/manifest.yml index 2d98f33db3c..fc730b1bd19 100644 --- a/packages/gcp_metrics/manifest.yml +++ b/packages/gcp_metrics/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: gcp_metrics title: "GCP Metrics Input" -version: "0.1.0" +version: "0.2.0" description: "GCP Metrics Input" type: input icons: @@ -14,7 +14,7 @@ categories: - google_cloud conditions: kibana: - version: ^8.5.0 + version: ^8.15.0 elastic: subscription: "basic" policy_templates: diff --git a/packages/gigamon/_dev/build/build.yml b/packages/gigamon/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/gigamon/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/gigamon/_dev/build/docs/README.md b/packages/gigamon/_dev/build/docs/README.md new file mode 100644 index 00000000000..0fe4c667884 --- /dev/null +++ b/packages/gigamon/_dev/build/docs/README.md @@ -0,0 +1,103 @@ +# Gigamon Integration + +Gigamon leverages deep packet inspection (DPI) to extract over 7500+ app related metadata attributes from the raw packets in the network. Gigamon Elastic Integration delivers intelligent security analytics and threat intelligence across the enterprise, and you get a single solution for attack detection, threat visibility, proactive hunting, and threat response. + +## Data streams + +The Gigamon integration currently provides a single +data stream: `ami`. + +## Requirements + +- Elastic Agent must be installed. +- You can install only one Elastic Agent per host. + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to +define, configure, and manage your agents in a central location. We recommend +using Fleet management because it makes the management and upgrade of your +agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent +locally on the system where it is installed. You are responsible for managing +and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or +standalone. Docker images for all versions of Elastic Agent are available +from the Elastic Docker registry, and we provide deployment manifests for +running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more +information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.12.0**. + + +### Setup + +## Gigamon setup + +To export data to Gigamon Elastic Integration. + +1. From Fabric Manager, Deploy an AMX node with traffic acquisition method as "Customer Orchestrated Source". + +2. Create an Monitoring Session with (Rep In ----> AMX ---> Rep Out). + + + +To add AMX application: + +1. Drag and drop Application Metadata Exporter from APPLICATIONS to the graphical workspace. The Application quick view appears. +2. Enter the Alias for the application. Enter a port number for the Cloud Tool Ingestor Port. Then, click the Add button for Cloud Tool Exports. +3. You can export your Application Metadata Intelligence output to cloud tools. Enter the following details for the Cloud tool export in the Application quick view: + + -**Alias**:Enter the alias name for the cloud tool export. + + -**Cloud Tool**:Select the Cloud tool from the drop-down menu.If it is not available click "others". + + -**Endpoint**:Give the URL of the cloud tool instance with the correct port number in which the port is listening. + + -**Headers**:Enter the secret header and enable secure keys + + -**Enable Export**:Enable the box to export the Application Metadata Intelligence output in JSON format. + + -**Zip**:Enable the box to compress the output file. + + -**Interval**:The time interval (in seconds) in which the data should be uploaded periodically. The recommended minimum time interval is 10 seconds and the maximum time interval is 30 minutes. + + -**Parallel Writer**:Specifies the number of simultaneous JSON exports done. + + -**Export Retries**:The number of times the application tries to export the entries to Cloud Tool. The recommended minimum value is 4 and the maximum is 10. + + -**Maximum Entries**:The number of JSON entries in a file. The maximum number of allowed entries is 5000 and the minimum is 10, however 1000 is the default value. + + -**Labels**:Click Add. Enter the following details: + + o Enter the Key . + o Enter the Value. + + +4. Click Deploy to deploy the monitoring session. The Select nodes to deploy the Monitoring Session dialog box appears. Select the GigaVUE V Series Node for which you wish to deploy the monitoring session. +5. After selecting the V Series Node, select the interfaces for the REPs deployed in the monitoring session from the drop-down menu. Then, click Deploy. + +## Logs Reference + +### ami + +This is the `ami` dataset. + +#### Example + +{{event "ami"}} + +{{fields "ami"}} + diff --git a/packages/gigamon/_dev/deploy/docker/docker-compose.yml b/packages/gigamon/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..5a3470e540c --- /dev/null +++ b/packages/gigamon/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,11 @@ +version: "2.3" +services: + gigamon-ami-http-endpoint: + image: docker.elastic.co/observability/stream:v0.15.0 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9559/ + - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson + command: log --start-signal=SIGHUP --delay=5s /sample_logs/ami-http_endpoint.log diff --git a/packages/gigamon/_dev/deploy/docker/sample_logs/ami-http_endpoint.log b/packages/gigamon/_dev/deploy/docker/sample_logs/ami-http_endpoint.log new file mode 100644 index 00000000000..77e5e18f757 --- /dev/null +++ b/packages/gigamon/_dev/deploy/docker/sample_logs/ami-http_endpoint.log @@ -0,0 +1 @@ + [ {"ts":"Thu May 16 15:25:25 2023","vendor":"Gigamon","version":"6.5.00","generator":"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6","dst_mac":"01:00:5e:00:00:fb","src_mac":"00:50:56:8d:89:41","src_ip":"10.114.82.101","dst_ip":"224.0.0.251","protocol":"17","src_port":"5353","dst_port":"5353","device_inbound_interface":"0","dns_qdcount":"4","dns_transaction_id":"0","dns_name":"pnstrex-83816.local","dns_name":"101.82.114.10.in-addr.arpa","dns_name":"pnstrex-83816.local","dns_name":"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa","dns_name":"pnstrex-83816.local","dns_name":"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa","dns_host":"pnstrex-83816.local","dns_host":"pnstrex-83816.local","dns_host":"pnstrex-83816.local","dns_host_addr":"10.114.82.101","dns_host_type":"A","dns_host_type":"PTR","dns_host_type":"AAAA","dns_host_type":"PTR","dns_host_type":"AAAA","dns_host_type":"PTR","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_flags":"0","dns_opcode":"0","dns_class":"1","dns_class":"1","dns_class":"1","dns_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_raw":"706e73747265782d38333831362e6c6f63616c","dns_host_raw":"706e73747265782d38333831362e6c6f63616c","dns_host_raw":"706e73747265782d38333831362e6c6f63616c","dns_query":"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa","dns_query":"pnstrex-83816.local","dns_query":"101.82.114.10.in-addr.arpa","dns_query":"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa","dns_query_type":"255","dns_query_type":"255","dns_query_type":"255","dns_query_type":"255","app_id":"32","ip_version":"4","src_bytes":"337","dst_bytes":"0","src_packets":"1","dst_packets":"0","start_time":"2023:12:13 15:25:11.181","end_time":"2023:12:13 15:25:11.181","intf_name":"0","egress_intf_id":"0","sys_up_time_first":"3497355275","sys_up_time_last":"3497355275","end_reason":"1","app_name":"dns","id":"679408454713072647","seq_num":"656"},{"ts":"Wed Dec 13 15:25:26 2023","vendor":"Gigamon","version":"6.5.00","generator":"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6","dst_mac":"01:00:5e:00:00:fb","src_mac":"00:1d:ac:45:34:00","src_ip":"10.115.80.208","dst_ip":"224.0.0.251","protocol":"17","src_port":"5353","dst_port":"5353","device_inbound_interface":"0","dns_qdcount":"2","dns_qdcount":"2","dns_ancount":"4","dns_transaction_id":"0","dns_transaction_id":"0","dns_name":"_tcn_eqaHCT._tcp.local","dns_name":"_tcn_eqaHCT._tcp.local","dns_name":"_tcn_eqaHCT._tcp.local","dns_name":"_tcn_eqaHCT._tcp.local","dns_host":"TA400_6008-f89668c8452a._tcn_eqaHCT._tcp.local","dns_host":"HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local","dns_host":"TA400_6008-f89668c8452a._tcn_eqaHCT._tcp.local","dns_host":"HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local","dns_host_type":"PTR","dns_host_type":"PTR","dns_host_type":"PTR","dns_host_type":"PTR","dns_ttl":"4199","dns_ttl":"4500","dns_ttl":"4198","dns_ttl":"4499","dns_flags":"0","dns_flags":"0","dns_opcode":"0","dns_opcode":"0","dns_class":"1","dns_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_class":"1","dns_host_raw":"54413430305f363030382d6638393636386338343532612e5f74636e5f6571614843542e5f7463702e6c6f63616c","dns_host_raw":"4843545f363031312d3138316530306133306166362e5f74636e5f6571614843542e5f7463702e6c6f63616c","dns_host_raw":"54413430305f363030382d6638393636386338343532612e5f74636e5f6571614843542e5f7463702e6c6f63616c","dns_host_raw":"4843545f363031312d3138316530306133306166362e5f74636e5f6571614843542e5f7463702e6c6f63616c","dns_query":"_tcn_eqaHCT._tcp.local","dns_query":"HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local","dns_query":"_tcn_eqaHCT._tcp.local","dns_query":"HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local","dns_query_type":"16","dns_query_type":"16","dns_query_type":"16","dns_query_type":"16","app_id":"32","ip_version":"4","src_bytes":"324","dst_bytes":"0","src_packets":"2","dst_packets":"0","start_time":"2023:12:13 15:25:10.797","end_time":"2023:12:13 15:25:11.789","intf_name":"0","egress_intf_id":"0","sys_up_time_first":"1349806091","sys_up_time_last":"813197323","end_reason":"1","app_name":"dns","id":"679408454713073671","seq_num":"657"},{"ts":"Wed Dec 13 15:25:27 2023","vendor":"Gigamon","version":"6.5.00","generator":"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6","dns_qdcount":"2","dns_qdcount":"0","dns_qdcount":"0","dns_qdcount":"2","dns_qdcount":"2","dns_qdcount":"2","dns_qdcount":"0","dns_qdcount":"0","dns_qdcount":"0","dns_ancount":"9","dns_transaction_id":"0","dns_transaction_id":"0","dns_transaction_id":"0","dns_transaction_id":"0","dns_transaction_id":"0","dns_transaction_id":"0","dns_transaction_id":"0","dns_transaction_id":"0","dns_transaction_id":"0","dns_name":"systest-virtual-machine-557151.local","dns_name":"7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa","dns_name":"systest-virtual-machine-557151.local","dns_name":"167.84.115.10.in-addr.arpa","dns_name":"systest-virtual-machine-557151.local","dns_name":"systest-virtual-machine-557152.local","dns_name":"167.84.115.10.in-addr.arpa","dns_name":"systest-virtual-machine-557152.local","dns_name":"167.84.115.10.in-addr.arpa","dns_name":"systest-virtual-machine-557152.local","dns_name":"167.84.115.10.in-addr.arpa","dns_name":"167.84.115.10.in-addr.arpa","dns_name":"systest-virtual-machine-557152.local","dns_name":"167.84.115.10.in-addr.arpa","dns_name":"systest-virtual-machine-557152.local","dns_name":"167.84.115.10.in-addr.arpa","dns_name":"systest-virtual-machine-557152.local","dns_host":"systest-virtual-machine-557151.local","dns_host":"systest-virtual-machine-557151.local","dns_host":"systest-virtual-machine-557152.local","dns_host":"systest-virtual-machine-557152.local","dns_host":"systest-virtual-machine-557152.local","dns_host":"systest-virtual-machine-557152.local","dns_host":"systest-virtual-machine-557152.local","dns_host":"systest-virtual-machine-557152.local","dns_host_addr":"10.115.84.167","dns_host_addr":"10.115.84.167","dns_host_addr":"10.115.84.167","dns_host_addr":"10.115.84.167","dns_host_addr":"10.115.84.167","dns_host_addr":"10.115.84.167","dns_host_addr":"10.115.84.167","dns_host_addr":"10.115.84.167","dns_host_type":"AAAA","dns_host_type":"PTR","dns_host_type":"A","dns_host_type":"PTR","dns_host_type":"A","dns_host_type":"A","dns_host_type":"PTR","dns_host_type":"A","dns_host_type":"PTR","dns_host_type":"A","dns_host_type":"PTR","dns_host_type":"PTR","dns_host_type":"A","dns_host_type":"PTR","dns_host_type":"A","dns_host_type":"PTR","dns_host_type":"A","dns_reply_code":"0","dns_reply_code":"0","dns_reply_code":"0","dns_reply_code":"0","dns_reply_code":"0","dns_response_time":"0.000116","dns_response_time":"0.200689","dns_response_time":"1.306583","dns_response_time":"3.412379","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"0","dns_ttl":"0","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_ttl":"120","dns_flags":"0","dns_flags":"33792","dns_flags":"33792","dns_flags":"0","dns_flags":"0","dns_flags":"0","dns_flags":"33792","dns_flags":"33792","dns_flags":"33792","dns_opcode":"0","dns_opcode":"0","dns_opcode":"0","dns_opcode":"0","dns_opcode":""} , {"ts":"Thu May 16 11:23:13 2024","vendor":"Gigamon","version":"6.6.00","generator":"gs_apps_appInst7_42375229-0c78-3d69-007d-f772de272c51","dst_mac":"00:50:56:b7:64:0c","src_mac":"00:50:56:b7:1b:b0","src_ip":"192.118.1.30","dst_ip":"192.118.1.1","protocol":"17","src_port":"68","dst_port":"67","device_inbound_interface":"0","app_id":"29","ip_version":"4","src_bytes":"337","dst_bytes":"342","src_packets":"1","dst_packets":"1","start_time":"2024:03:23 11:23:13.360","end_time":"2024:03:23 11:23:13.360","intf_name":"0","egress_intf_id":"0","sys_up_time_first":"944648320","sys_up_time_last":"944648320","end_reason":"2","app_name":"dhcp","id":"2661760802582691841","seq_num":"8701"} , {"ts":"Thu May 16 06:27:07 2024","vendor":"Gigamon","version":"6.6.00","generator":"gs_apps_appInst7_42375229-0c78-3d69-007d-f772de272c51","dst_mac":"00:50:56:a0:fe:6a","src_mac":"5c:31:92:40:19:7f","src_ip":"10.116.2.100","dst_ip":"10.115.82.138","protocol":"6","src_port":"80","dst_port":"60922","device_inbound_interface":"0","app_id":"4968","ip_version":"4","src_bytes":"1514","dst_bytes":"0","src_packets":"1","dst_packets":"0","start_time":"2024:05:16 06:27:07.344","end_time":"2024:05:16 06:27:07.344","intf_name":"0","egress_intf_id":"0","sys_up_time_first":"1297515008","sys_up_time_last":"1297515008","end_reason":"5","app_name":"Unknown tcp","id":"2662004089650413569","seq_num":"10977963"} , {"ts":"Thu May 16 06:27:07 2024","vendor":"Gigamon","version":"6.6.00","generator":"gs_apps_appInst7_42375229-0c78-3d69-007d-f772de272c51","dst_mac":"00:50:56:a0:fe:6a","src_mac":"5c:31:92:40:19:7f","src_ip":"10.116.2.100","dst_ip":"10.115.82.138","protocol":"6","src_port":"80","dst_port":"60922","device_inbound_interface":"0","app_id":"4968","ip_version":"4","src_bytes":"1514","dst_bytes":"0","src_packets":"1","dst_packets":"0","start_time":"2024:05:16 06:27:07.344","end_time":"2024:05:16 06:27:07.344","intf_name":"0","egress_intf_id":"0","sys_up_time_first":"1297515008","sys_up_time_last":"1297515008","end_reason":"5","app_name":"Unknown tcp","id":"2662004089665093633","seq_num":"10977963"} , {"ts":"Thu May 16 04:24:46 2024","vendor":"Gigamon","version":"6.6.00","generator":"gs_apps_appInst0_42375229-0c78-3d69-007d-f772de272c51","dst_mac":"0c:c4:7a:f8:0d:c4","src_mac":"00:50:56:9f:7f:ff","src_ip":"10.115.83.4","dst_ip":"10.115.81.118","protocol":"6","src_port":"58194","dst_port":"443","device_inbound_interface":"0","app_id":"68","ip_version":"4","src_bytes":"8591","dst_bytes":"62421","src_packets":"49","dst_packets":"48","start_time":"2024:03:18 04:24:25.232","end_time":"2024:03:18 04:24:32.176","intf_name":"0","egress_intf_id":"0","sys_up_time_first":"487520192","sys_up_time_last":"487527136","end_reason":"1","app_name":"https","id":"11038398651553546241","seq_num":"584615","eventType":"2"} , { "ts": "Thu May 16 10:58:39 2024", "vendor": "Gigamon", "version": "2.7.0", "generator": "gs_apps_FmAuto-App_Intelligence-appmetadata-465de222-d147-4001-8516-c56f29bdcfcb_ec22ba36-c257-93a4-bd84-91126b667cbc", "dst_mac": "02:01:93:9c:99:4b", "src_mac": "02:01:93:9c:98:37", "src_ip": "10.1.0.2", "dst_ip": "11.1.0.2", "protocol": "6", "src_port": "34028", "dst_port": "443", "ssl_certif_md5": "100000003d0aeba0db3af776145c3f9b2941b795", "ssl_common_name": "www.spirent.com", "ssl_issuer": "www.spirent.com", "ssl_validity_not_before": "2018-08-21 15:41:02", "ssl_validity_not_after": "2028-08-18 15:41:02", "ssl_serial_number": "0090ad88e8aefe748b", "ssl_handshake_type": "1", "ssl_organization_name": "Spirent", "ssl_request_size": "1791", "ssl_cipher_suite_id": "156", "ssl_cipher_suite_list": "009c00ff", "ssl_certif_sha1": "14000000dc8804aad47a9fecf23495e33c4a6f6aaa01aa44", "ssl_content_type": "22", "ssl_protocol_version": "771", "ssl_client_hello_extension_type": "13", "ssl_server_hello_extension_type": "65281", "ssl_certificate_dn_subject": "C=US,ST=California,L=San Jose,O=,OU=,CN=www.spi rent.com", "ssl_certificate_subject_cn": "www.spirent.com", "ssl_certificate_subject_l": "San Jose", "ssl_certificate_subject_st": "California", "ssl_certificate_subject_o": "Spirent", "ssl_certificate_subject_ou": "AppSec", "ssl_certificate_subject_c": "US", "ssl_certificate_dn_issuer": "C=US,ST=California,L=San Jose,O=,OU=,CN=www.spi rent.com", "ssl_certificate_issuer_cn": "www.spirent.com", "ssl_certificate_issuer_l": "San Jose", "ssl_certificate_issuer_st": "California", "ssl_certificate_issuer_o": "Spirent", "ssl_certificate_issuer_ou": "AppSec", "ssl_certificate_issuer_c": "US", "ssl_client_hello_extension_len": "32", "ssl_server_hello_extension_len": "1", "ssl_nb_compression_methods": "1", "ssl_compression_method": "0", "ssl_ext_sig_algorithms_len": "30", "ssl_ext_sig_algorithm_scheme": "1537", "ssl_ext_sig_algorithm_hash": "6", "ssl_ext_sig_algorithm_sig": "2", "ssl_certificate_subject_key_algo_oid": "1.2.840.113549.1.1.1", "ssl_certificate_subject_key_size": "74", "ssl_cert_extension_oid": "2.5.29.14", "ssl_cert_ext_authority_key_id": "c8d57206ca0eee1b026e53d66668e947a156026a", "ssl_cert_ext_subject_key_id": "c8d57206ca0eee1b026e53d66668e947a156026a", "ssl_fingerprint_ja3": "b92a3c873c2139b5ee5fa0a03023b6ce", "ssl_fingerprint_ja3s": "ccd5709d4a9027ec272e98b9924c36f7", "ssl_index": "1", "ssl_session_id": "a87bfd1ed4d7b8f415bb1e0d3981b172714a4dcb6e481ec27b463570df6b7b74", "ssl_declassify_override": "0", "ssl_signalization_override": "0", "app_id": "68", "ip_version": "4", "tcp_flags": "2", "src_packets": "131", "dst_packets": "153", "start_time": "2023:03:09 10:57:00.797", "end_time": "2023:03:09 10:57:01.797", "end_reason": "2", "app_name": "https", "src_bytes": "29560", "dst_bytes": "63026", "id": "2325896706092000771", "seq_num": "64754890"} ] diff --git a/packages/gigamon/changelog.yml b/packages/gigamon/changelog.yml new file mode 100644 index 00000000000..8725ed53796 --- /dev/null +++ b/packages/gigamon/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/10268 diff --git a/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json new file mode 100644 index 00000000000..48937b9bcba --- /dev/null +++ b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json @@ -0,0 +1,2206 @@ +{ + "events": [ + { + "json": { + "ts": "Wed Dec 13 15:25:25 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:89:41", + "src_ip": "10.114.82.101", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-83816.local", + "dns_host_addr": "10.114.82.101", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333831362e6c6f63616c", + "dns_query": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "337", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:11.181", + "end_time": "2023:12:13 15:25:11.181", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3497355275", + "sys_up_time_last": "3497355275", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713072647", + "seq_num": "656" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:26 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:1d:ac:45:34:00", + "src_ip": "10.115.80.208", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "2", + "dns_ancount": "4", + "dns_transaction_id": "0", + "dns_name": "_tcn_eqaHCT._tcp.local", + "dns_host": "HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local", + "dns_host_type": "PTR", + "dns_ttl": "4499", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "4843545f363031312d3138316530306133306166362e5f74636e5f6571614843542e5f7463702e6c6f63616c", + "dns_query": "HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local", + "dns_query_type": "16", + "app_id": "32", + "ip_version": "4", + "src_bytes": "324", + "dst_bytes": "0", + "src_packets": "2", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:10.797", + "end_time": "2023:12:13 15:25:11.789", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1349806091", + "sys_up_time_last": "813197323", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713073671", + "seq_num": "657" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:27 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:62:db", + "src_ip": "10.115.85.229", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "b.d.2.6.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-49197.local", + "dns_host_addr": "10.115.85.229", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d34393139372e6c6f63616c", + "dns_query": "229.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:12.781", + "end_time": "2023:12:13 15:25:12.781", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "276588555", + "sys_up_time_last": "276588555", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713074695", + "seq_num": "658" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:27 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "9", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-557152.local", + "dns_host": "systest-virtual-machine-557152.local", + "dns_host_addr": "10.115.84.167", + "dns_host_type": "A", + "dns_reply_code": "0", + "dns_response_time": "3.412379", + "dns_ttl": "120", + "dns_flags": "33792", + "dns_opcode": "" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:27 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "2", + "dns_ancount": "400", + "dns_transaction_id": "0", + "dns_name": "_" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:28 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "27", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-552999.local" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:28 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "1", + "dns_ancount": "19", + "dns_transaction_id": "0", + "dns_name": "_tcn_ABCD99995._tcp.local", + "dns_host": "gigamon_8b6c6e-3513b246ab72._tcn_ABCD99995._tcp.local", + "dns_host_type": "PTR" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:29 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:72:27", + "src_ip": "10.115.85.224", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "7.2.2.7.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-69816.local", + "dns_host_addr": "10.115.85.224", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d36393831362e6c6f63616c", + "dns_query": "224.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:15.037", + "end_time": "2023:12:13 15:25:15.037", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3766773771", + "sys_up_time_last": "3766773771", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713079815", + "seq_num": "663" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:30 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:d8:f7", + "src_ip": "10.114.82.167", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "0.7.1.8.d.2.7.5.f.d.5.3.8.6.c.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-85507.local", + "dns_host_addr": "10.114.82.167", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38353530372e6c6f63616c", + "dns_query": "7.7.4.f.0.1.0.d.e.7.9.c.d.f.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "337", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:15.901", + "end_time": "2023:12:13 15:25:15.901", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1082681355", + "sys_up_time_last": "1082681355", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713080839", + "seq_num": "664" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:30 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:9c:74:4e", + "src_ip": "10.114.83.205", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "3.d.9.2.5.4.0.b.9.1.8.8.2.1.0.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-61351.local", + "dns_host_addr": "10.114.83.205", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d36313335312e6c6f63616c", + "dns_query": "2.7.8.c.f.f.6.2.a.5.8.1.2.3.4.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "335", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:15.917", + "end_time": "2023:12:13 15:25:15.917", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1351116811", + "sys_up_time_last": "1351116811", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713081863", + "seq_num": "665" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:31 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:d4:c8", + "src_ip": "10.115.85.219", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "8.c.4.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-52270.local", + "dns_host_addr": "10.115.85.219", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d35323237302e6c6f63616c", + "dns_query": "219.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:17.229", + "end_time": "2023:12:13 15:25:17.229", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1888315403", + "sys_up_time_last": "1888315403", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713082887", + "seq_num": "666" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:33 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:9d:d1:ff", + "src_mac": "00:50:56:b7:e4:a1", + "src_ip": "10.115.83.37", + "dst_ip": "10.115.83.43", + "protocol": "17", + "src_port": "23384", + "dst_port": "514", + "device_inbound_interface": "0", + "app_id": "4979", + "ip_version": "4", + "src_bytes": "837334", + "dst_bytes": "0", + "src_packets": "629", + "dst_packets": "0", + "start_time": "2023:12:13 15:24:33.549", + "end_time": "2023:12:13 15:25:31.645", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3504498443", + "sys_up_time_last": "3234162699", + "end_reason": "2", + "app_name": "Unknown udp", + "id": "679408454713083911", + "seq_num": "667" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:35 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "9", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-552428.local", + "dns_host": "systest-virtual-machine-552428.local", + "dns_host_addr": "10.115.84.155", + "dns_host_type": "A", + "dns_reply_code": "0", + "dns_response_time": "3.520447", + "dns_ttl": "120", + "dns_flags": "33792", + "dns_opcode": "" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:35 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:86:1f:d9", + "src_ip": "10.115.84.168", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-560412.local", + "dns_host_addr": "10.115.84.168", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3536303431322e6c6f63616c", + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "434", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:20.509", + "end_time": "2023:12:13 15:25:20.509", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1083861003", + "sys_up_time_last": "1083861003", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713085959", + "seq_num": "669" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:35 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-627950.local", + "dns_host_addr": "10.115.84.154", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3632373935302e6c6f63616c" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:36 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:86:24:0a", + "src_ip": "10.115.84.162", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-561372.local", + "dns_host_addr": "10.115.84.162", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3536313337322e6c6f63616c", + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "434", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:21.661", + "end_time": "2023:12:13 15:25:21.661", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3231606795", + "sys_up_time_last": "3231606795", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713088007", + "seq_num": "671" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:36 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:dc:79", + "src_ip": "10.115.85.220", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "9.7.c.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-76620.local", + "dns_host_addr": "10.115.85.220", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d37363632302e6c6f63616c", + "dns_query": "220.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:21.469", + "end_time": "2023:12:13 15:25:21.469", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "10381323", + "sys_up_time_last": "10381323", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713089031", + "seq_num": "672" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:36 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:b7:a1:53", + "src_mac": "5c:31:92:40:19:7f", + "src_ip": "10.70.70.164", + "dst_ip": "10.115.83.73", + "protocol": "6", + "src_port": "50425", + "dst_port": "22", + "device_inbound_interface": "0", + "app_id": "4968", + "ip_version": "4", + "src_bytes": "18808", + "dst_bytes": "28400", + "src_packets": "223", + "dst_packets": "197", + "start_time": "2023:12:13 15:24:37.341", + "end_time": "2023:12:13 15:25:36.605", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2700175115", + "sys_up_time_last": "551118859", + "end_reason": "2", + "app_name": "Unknown tcp", + "id": "679408454713090055", + "seq_num": "673" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:37 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:86:62:5f", + "src_ip": "10.115.84.172", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-611134.local", + "dns_host_addr": "10.115.84.172", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3631313133342e6c6f63616c", + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "434", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:24:49.629", + "end_time": "2023:12:13 15:24:49.629", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2686543883", + "sys_up_time_last": "2686543883", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713091079", + "seq_num": "674" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:37 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:3b:c0", + "src_ip": "10.115.85.221", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "0.c.b.3.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-68644.local", + "dns_host_addr": "10.115.85.221", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d36383634342e6c6f63616c", + "dns_query": "221.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "510", + "dst_bytes": "0", + "src_packets": "2", + "dst_packets": "0", + "start_time": "2023:12:13 15:24:41.469", + "end_time": "2023:12:13 15:25:01.501", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3221317643", + "sys_up_time_last": "5269515", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713092103", + "seq_num": "675" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:37 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:fa:3e", + "src_ip": "10.114.83.61", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "2", + "dns_transaction_id": "0", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_query": "_ipps._tcp.local", + "dns_query_type": "12", + "app_id": "32", + "ip_version": "4", + "src_bytes": "87", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:18.861", + "end_time": "2023:12:13 15:25:18.861", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3499321355", + "sys_up_time_last": "3499321355", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713093127", + "seq_num": "676" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:37 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:6a:4b", + "src_ip": "10.114.83.75", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "dns_host": "tg-91532.local", + "dns_host_addr": "10.114.83.75", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "74672d39313533322e6c6f63616c", + "dns_query": "75.83.114.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "753" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:37 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-560195.local", + "dns_host_addr": "10.115.84.159", + "dns_host_type": "PTR", + "dns_ttl": "120" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:37 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "b.2.f.f.8.f.c.5.9.2.d.c.a.4.7.d.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "systest-virtual-machine-584015.local", + "dns_host_addr": "10.115.84.151", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "ff:ff:ff:ff:ff:ff", + "src_mac": "00:50:56:99:05:df", + "src_ip": "0.0.0.0", + "dst_ip": "255.255.255.255", + "protocol": "17", + "src_port": "68", + "dst_port": "67", + "device_inbound_interface": "0", + "app_id": "29", + "ip_version": "4", + "src_bytes": "1400", + "dst_bytes": "0", + "src_packets": "4", + "dst_packets": "0", + "start_time": "2023:12:13 15:24:58.717", + "end_time": "2023:12:13 15:25:26.285", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "541419531", + "sys_up_time_last": "3501221899", + "end_reason": "1", + "app_name": "dhcp", + "id": "679408454713097223", + "seq_num": "680" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:9f:7f:ff", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_ip": "10.115.81.118", + "dst_ip": "10.115.83.4", + "protocol": "17", + "src_port": "43366", + "dst_port": "902", + "device_inbound_interface": "0", + "app_id": "3902", + "ip_version": "4", + "src_bytes": "377", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:07.085", + "end_time": "2023:12:13 15:25:07.085", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3496306699", + "sys_up_time_last": "3496306699", + "end_reason": "1", + "app_name": "vmware-client", + "id": "679408454713098247", + "seq_num": "681" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:9f:7f:ff", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_ip": "10.115.81.118", + "dst_ip": "10.115.83.4", + "protocol": "17", + "src_port": "30490", + "dst_port": "902", + "device_inbound_interface": "0", + "app_id": "3902", + "ip_version": "4", + "src_bytes": "377", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:17.085", + "end_time": "2023:12:13 15:25:17.085", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3767298059", + "sys_up_time_last": "3767298059", + "end_reason": "1", + "app_name": "vmware-client", + "id": "679408454713099271", + "seq_num": "682" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:9c:b2:df", + "src_ip": "10.114.82.166", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "d.5.8.e.b.0.0.d.e.d.b.f.f.5.a.8.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-85535.local", + "dns_host_addr": "10.114.82.166", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38353533352e6c6f63616c", + "dns_query": "6.7.e.b.f.9.e.f.c.6.7.b.f.4.5.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "674" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:7f:ff:fa", + "src_mac": "00:50:56:b7:96:08", + "src_ip": "10.115.83.20", + "dst_ip": "239.255.255.250", + "protocol": "17", + "src_port": "49882", + "dst_port": "1900", + "device_inbound_interface": "0", + "app_id": "3414", + "ip_version": "4", + "src_bytes": "868", + "dst_bytes": "0", + "src_packets": "4", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:22.429", + "end_time": "2023:12:13 15:25:25.437", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3231803403", + "sys_up_time_last": "2158848011", + "end_reason": "1", + "app_name": "upnp", + "id": "679408454713101319", + "seq_num": "684" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:86:09:cc", + "src_ip": "10.115.84.171", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-627875.local", + "dns_host_addr": "10.115.84.171", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3632373837352e6c6f63616c", + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "434", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:23.757", + "end_time": "2023:12:13 15:25:23.757", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "4037437451", + "sys_up_time_last": "4037437451", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713102343", + "seq_num": "685" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:32:1a", + "src_ip": "10.114.82.162", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "3.a.2.3.7.1.5.5.e.2.1.6.e.4.7.e.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-83631.local", + "dns_host_addr": "10.114.82.162", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333633312e6c6f63616c", + "dns_query": "8.3.5.1.c.a.c.b.d.3.2.5.9.0.f.3.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "337", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:24.013", + "end_time": "2023:12:13 15:25:24.013", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "4037502987", + "sys_up_time_last": "4037502987", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713103367", + "seq_num": "686" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "src_mac": "00:50:56:9f:7f:ff", + "src_ip": "10.115.83.4", + "dst_ip": "10.115.81.118", + "protocol": "6", + "src_port": "50694", + "dst_port": "443", + "device_inbound_interface": "0", + "app_id": "68", + "ip_version": "4", + "src_bytes": "399", + "dst_bytes": "388", + "src_packets": "2", + "dst_packets": "1", + "start_time": "2023:12:13 15:25:25.677", + "end_time": "2023:12:13 15:25:25.693", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1890478091", + "sys_up_time_last": "2158913547", + "end_reason": "1", + "app_name": "https", + "id": "679408454713104391", + "seq_num": "687" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "src_mac": "00:50:56:9f:7f:ff", + "src_ip": "10.115.83.4", + "dst_ip": "10.115.81.118", + "protocol": "6", + "src_port": "60117", + "dst_port": "9080", + "device_inbound_interface": "0", + "ssl_cipher_suite_id": "49200", + "app_id": "4962", + "ip_version": "4", + "src_bytes": "1533", + "dst_bytes": "2335", + "src_packets": "11", + "dst_packets": "8", + "start_time": "2023:12:13 15:25:25.837", + "end_time": "2023:12:13 15:25:25.837", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "279930891", + "sys_up_time_last": "279930891", + "end_reason": "1", + "app_name": "Unknown ssl", + "id": "679408454713105415", + "seq_num": "688" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:26:ce", + "src_ip": "10.114.82.17", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "dns_host": "tg-92794.local", + "dns_host_addr": "10.114.82.17", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "74672d39323739342e6c6f63616c", + "dns_query": "17.82.114.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "251", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:25.693", + "end_time": "2023:12:13 15:25:25.693", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2158913547", + "sys_up_time_last": "2158913547", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713106439", + "seq_num": "689" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:40 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:99:d1:39", + "src_ip": "10.114.83.110", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "0", + "dns_ancount": "6", + "dns_transaction_id": "0", + "dns_name": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "dns_host": "tg-92967.local", + "dns_host_type": "PTR", + "dns_reply_code": "0", + "dns_ttl": "120", + "dns_flags": "33792", + "dns_opcode": "0", + "dns_host_raw": "74672d39323936372e6c6f63616c", + "app_id": "32", + "ip_version": "4", + "src_bytes": "924", + "dst_bytes": "0", + "src_packets": "6", + "dst_packets": "0", + "start_time": "2023:12:13 15:24:40.637", + "end_time": "2023:12:13 15:25:25.693", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2164156171", + "sys_up_time_last": "2158913547", + "end_reason": "2", + "app_name": "dns", + "id": "679408454713107463", + "seq_num": "690" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:23:59 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst7_4237d0d0-8241-b4a1-b502-77f97421a2c6", + "dst_mac": "ff:ff:ff:ff:ff:ff", + "src_mac": "00:50:56:99:05:df", + "src_ip": "0.0.0.0", + "dst_ip": "255.255.255.255", + "protocol": "17", + "src_port": "68", + "dst_port": "67", + "device_inbound_interface": "0", + "app_id": "29", + "ip_version": "4", + "src_bytes": "1400", + "dst_bytes": "0", + "src_packets": "4", + "dst_packets": "0", + "start_time": "2023:12:13 15:23:17.354", + "end_time": "2023:12:13 15:23:44.910", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3962320642", + "sys_up_time_last": "2425894658", + "end_reason": "1", + "app_name": "dhcp", + "id": "113836049853586439", + "seq_num": "3" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:41 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:9f:7f:ff", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_ip": "10.115.81.118", + "dst_ip": "10.115.83.4", + "protocol": "17", + "src_port": "15536", + "dst_port": "902", + "device_inbound_interface": "0", + "app_id": "3902", + "ip_version": "4", + "src_bytes": "377", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:27.101", + "end_time": "2023:12:13 15:25:27.101", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "11823115", + "sys_up_time_last": "11823115", + "end_reason": "1", + "app_name": "vmware-client", + "id": "679408454713108487", + "seq_num": "691" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:41 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "27", + "dns_transaction_id": "0", + "dns_name": "systest-virtual" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:41 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "9", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-110438.local", + "dns_host": "systest-virtual-machine-110438.local", + "dns_host_addr": "10.115.84.157", + "dns_host_type": "AAAA", + "dns_reply_code": "0", + "dns_response_time": "3.289977", + "dns_ttl": "120", + "dns_flags": "0 Gigam" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:43 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-616359.local", + "dns_host_addr": "10.115.84.173", + "dns_host_type": "PTR", + "dns_ttl": "120" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:44 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:2d:a0", + "src_ip": "10.115.85.227", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "0.a.d.2.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-59500.local", + "dns_host_addr": "10.115.85.227", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d35393530302e6c6f63616c", + "dns_query": "227.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:29.565", + "end_time": "2023:12:13 15:25:29.565", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2696767499", + "sys_up_time_last": "2696767499", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713112583", + "seq_num": "695" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:44 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:86:3d:da", + "src_ip": "10.115.84.163", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-559605.local", + "dns_host_addr": "10.115.84.163", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3535393630352e6c6f63616c", + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "434", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:29.725", + "end_time": "2023:12:13 15:25:29.725", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1086220299", + "sys_up_time_last": "1086220299", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713113607", + "seq_num": "696" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:44 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:b7:4d:72", + "src_mac": "00:50:56:9f:ed:dc", + "src_ip": "10.115.83.15", + "dst_ip": "10.115.83.36", + "protocol": "6", + "src_port": "39252", + "dst_port": "8889", + "device_inbound_interface": "0", + "ssl_cipher_suite_id": "4866", + "app_id": "4962", + "ip_version": "4", + "src_bytes": "2019", + "dst_bytes": "2985", + "src_packets": "12", + "dst_packets": "9", + "start_time": "2023:12:13 15:24:45.037", + "end_time": "2023:12:13 15:24:55.053", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2953799691", + "sys_up_time_last": "3493226507", + "end_reason": "2", + "app_name": "Unknown ssl", + "id": "679408454713114631", + "seq_num": "697" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:45 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:89:41", + "src_ip": "10.114.82.101", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-83817.local", + "dns_host_addr": "10.114.82.101", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333831372e6c6f63616c", + "dns_query": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "337", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:31.149", + "end_time": "2023:12:13 15:25:31.149", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3502467083", + "sys_up_time_last": "3502467083", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713115655", + "seq_num": "698" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:45 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "5c:31:92:40:19:7f", + "src_mac": "00:50:56:b7:4d:72", + "src_ip": "10.10.1.20", + "dst_ip": "10.115.83.36", + "protocol": "17", + "src_port": "53", + "dst_port": "59004", + "device_inbound_interface": "0", + "dns_qdcount": "1", + "dns_transaction_id": "53887", + "dns_name": "115.10.in-addr.arpa", + "dns_host": "hq1dc1.gigamon.com", + "dns_reverse_addr": "10.115.83.43", + "dns_host_type": "SOA", + "dns_reply_code": "3", + "dns_response_time": "0.001563", + "dns_ttl": "3600", + "dns_flags": "34179", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6871316463312e676967616d6f6e2e636f6d", + "dns_query": "43.83.115.10.in-addr.arpa", + "dns_query_type": "12", + "app_id": "32", + "ip_version": "4", + "src_bytes": "169", + "dst_bytes": "85", + "src_packets": "1", + "dst_packets": "1", + "start_time": "2023:12:13 15:25:30.637", + "end_time": "2023:12:13 15:25:30.653", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3502336011", + "sys_up_time_last": "3770771467", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713116679", + "seq_num": "699" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:46 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "src_mac": "00:50:56:9f:7f:ff", + "src_ip": "10.115.83.4", + "dst_ip": "10.115.81.118", + "protocol": "6", + "src_port": "54892", + "dst_port": "443", + "device_inbound_interface": "0", + "app_id": "68", + "ip_version": "4", + "src_bytes": "10482", + "dst_bytes": "59982", + "src_packets": "52", + "dst_packets": "47", + "start_time": "2023:12:13 15:24:47.085", + "end_time": "2023:12:13 15:25:31.837", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2954323979", + "sys_up_time_last": "2160486411", + "end_reason": "1", + "app_name": "https", + "id": "679408454713117703", + "seq_num": "700" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:46 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "f.1.2.3.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-57522.local", + "dns_host_addr": "10.115.85.228", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1 Gi" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:47 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "17", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-549088.local", + "dns_host": "systest-vir" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:47 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "7.1.7.e.b.a.5.d.3.3.b.b.d.3.f.4.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-81458.local", + "dns_host_addr": "10.114.82.169", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d3831" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:47 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:62:db", + "src_ip": "10.115.85.229", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "b.d.2.6.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-49198.local", + "dns_host_addr": "10.115.85.229", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d34393139382e6c6f63616c", + "dns_query": "229.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:32.669", + "end_time": "2023:12:13 15:25:32.669", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "3234424843", + "sys_up_time_last": "3234424843", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713121799", + "seq_num": "704" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:47 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "27", + "dns_transaction_id": "0", + "dns_name": "sys" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:47 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "9", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-557153.local", + "dns_host": "systest-virtual-machine-557153.local", + "dns_host_addr": "10.115.84.167", + "dns_host_type": "A", + "dns_reply_code": "0", + "dns_response_time": "3.549374", + "dns_ttl": "120", + "dns_flags": "33792", + "dns_opcode": "" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:48 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "9", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-553001.local", + "dns_host": "systest-virtual-machine-553001.local", + "dns_host_addr": "10.115.84.166", + "dns_host_type": "A", + "dns_reply_code": "0", + "dns_response_time": "3.440722", + "dns_ttl": "120" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:49 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:72:27", + "src_ip": "10.115.85.224", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "7.2.2.7.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-69817.local", + "dns_host_addr": "10.115.85.224", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d36393831372e6c6f63616c", + "dns_query": "224.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:34.941", + "end_time": "2023:12:13 15:25:34.941", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2698143755", + "sys_up_time_last": "2698143755", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713125895", + "seq_num": "708" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:49 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "2", + "dns_ancount": "37", + "dns_arcount": "5", + "dns_transaction_id": "0", + "dns_name": "_tcn_eqaHCT._tcp.local", + "dns_host": "MyClust23._t" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:49 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "27", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-551405.local" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:50 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "src_mac": "00:50:56:9f:7f:ff", + "src_ip": "10.115.83.4", + "dst_ip": "10.115.81.118", + "protocol": "6", + "src_port": "60895", + "dst_port": "9080", + "device_inbound_interface": "0", + "ssl_cipher_suite_id": "49200", + "app_id": "4962", + "ip_version": "4", + "src_bytes": "1533", + "dst_bytes": "2335", + "src_packets": "11", + "dst_packets": "8", + "start_time": "2023:12:13 15:25:35.821", + "end_time": "2023:12:13 15:25:35.821", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "282486795", + "sys_up_time_last": "282486795", + "end_reason": "1", + "app_name": "Unknown ssl", + "id": "679408454713128967", + "seq_num": "711" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:50 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:86:47:92", + "src_ip": "10.115.84.152", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-634804.local", + "dns_host_addr": "10.115.84.152", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3633343830342e6c6f63616c", + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "434", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:36.429", + "end_time": "2023:12:13 15:25:36.429", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1893230603", + "sys_up_time_last": "1893230603", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713129991", + "seq_num": "712" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:50 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "5", + "dns_transaction_id": "0", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_host": "systest-virtual-machine-560119.local", + "dns_host_addr": "10.115.84.170", + "dns_host_type": "PTR", + "dns_ttl": "120" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:50 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:8d:d8:f7", + "src_ip": "10.114.82.167", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "0.7.1.8.d.2.7.5.f.d.5.3.8.6.c.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-85508.local", + "dns_host_addr": "10.114.82.167", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38353530382e6c6f63616c", + "dns_query": "7.7.4.f.0.1.0.d.e.7.9.c.d.f.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "337", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:35.805", + "end_time": "2023:12:13 15:25:35.805", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "14051339", + "sys_up_time_last": "14051339", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713132039", + "seq_num": "714" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:51 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:9f:7f:ff", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_ip": "10.115.81.118", + "dst_ip": "10.115.83.4", + "protocol": "17", + "src_port": "43599", + "dst_port": "902", + "device_inbound_interface": "0", + "app_id": "3902", + "ip_version": "4", + "src_bytes": "377", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:37.101", + "end_time": "2023:12:13 15:25:37.101", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "282814475", + "sys_up_time_last": "282814475", + "end_reason": "1", + "app_name": "vmware-client", + "id": "679408454713133063", + "seq_num": "715" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:51 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:94:d4:c8", + "src_ip": "10.115.85.219", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "3", + "dns_transaction_id": "0", + "dns_name": "8.c.4.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "linux-52271.local", + "dns_host_addr": "10.115.85.219", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d35323237312e6c6f63616c", + "dns_query": "219.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "app_id": "32", + "ip_version": "4", + "src_bytes": "255", + "dst_bytes": "0", + "src_packets": "1", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:37.149", + "end_time": "2023:12:13 15:25:37.149", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1088120843", + "sys_up_time_last": "1088120843", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713134087", + "seq_num": "716" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:51 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "4", + "dns_transaction_id": "0", + "dns_name": "3.d.9.2.5.4.0.b.9.1.8.8.2.1.0.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_host": "pnstrex-61352.local", + "dns_host_addr": "10.114.83.205", + "dns_host_type": "PTR", + "dns_ttl": "120", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d3631" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:52 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "18", + "dns_transaction_id": "0", + "dns_name": "systest-virtual-machine-613736.local", + "dns_host": "systest-virtual-machine-613736.local" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:52 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:50:56:b7:a1:53", + "src_mac": "5c:31:92:40:19:7f", + "src_ip": "10.70.70.164", + "dst_ip": "10.115.83.73", + "protocol": "6", + "src_port": "50425", + "dst_port": "22", + "device_inbound_interface": "0", + "app_id": "4968", + "ip_version": "4", + "src_bytes": "518", + "dst_bytes": "286", + "src_packets": "7", + "dst_packets": "3", + "start_time": "2023:12:13 15:25:36.669", + "end_time": "2023:12:13 15:25:38.253", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "1624860683", + "sys_up_time_last": "2430560267", + "end_reason": "1", + "app_name": "Unknown tcp", + "id": "679408454713137159", + "seq_num": "719" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:52 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "0", + "dns_ancount": "27", + "dns_transaction_id": "0", + "dns_name": "sys" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:52 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "src_mac": "00:50:56:9f:7f:ff", + "src_ip": "10.115.83.4", + "dst_ip": "10.115.81.118", + "protocol": "6", + "src_port": "41529", + "dst_port": "9080", + "device_inbound_interface": "0", + "ssl_cipher_suite_id": "49200", + "app_id": "4962", + "ip_version": "4", + "src_bytes": "1533", + "dst_bytes": "2335", + "src_packets": "11", + "dst_packets": "8", + "start_time": "2023:12:13 15:25:15.821", + "end_time": "2023:12:13 15:25:15.821", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "4035405835", + "sys_up_time_last": "4035405835", + "end_reason": "1", + "app_name": "Unknown ssl", + "id": "679408454713139207", + "seq_num": "721" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:52 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "1", + "dns_ancount": "30", + "dns_transaction_id": "0", + "dns_name": "_tms_cluster._tcp.local", + "dns_host": "duo-test-cluster._tms_cluster._tcp.local", + "dns_host_type": "PTR" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:52 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dns_qdcount": "2", + "dns_ancount": "40", + "dns_transaction_id": "0", + "dns_name": "_tcn_Suki-Cluster._tcp.local", + "dns_host": "eqaHCT._tms" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:54 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "01:00:5e:00:00:fb", + "src_mac": "00:50:56:a0:50:0d", + "src_ip": "10.115.82.8", + "dst_ip": "224.0.0.251", + "protocol": "17", + "src_port": "5353", + "dst_port": "5353", + "device_inbound_interface": "0", + "dns_qdcount": "7", + "dns_transaction_id": "0", + "dns_flags": "0", + "dns_opcode": "0", + "dns_class": "1", + "dns_query": "_webdav._tcp.local", + "dns_query_type": "12", + "app_id": "32", + "ip_version": "4", + "src_bytes": "247", + "dst_bytes": "0", + "src_packets": "2", + "dst_packets": "0", + "start_time": "2023:12:13 15:25:39.533", + "end_time": "2023:12:13 15:25:40.285", + "intf_name": "0", + "egress_intf_id": "0", + "sys_up_time_first": "2430887947", + "sys_up_time_last": "2162649099", + "end_reason": "1", + "app_name": "dns", + "id": "679408454713142279", + "seq_num": "724" + } + } + ] +} diff --git a/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json-expected.json b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json-expected.json new file mode 100644 index 00000000000..62361552702 --- /dev/null +++ b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json-expected.json @@ -0,0 +1,2915 @@ +{ + "expected": [ + { + "@timestamp": "2023-12-13T15:25:25.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-83816.local", + "dns_host_addr": "10.114.82.101", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333831362e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:11.181Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713072647", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 656, + "src_bytes": 337, + "src_ip": "10.114.82.101", + "src_mac": "00:50:56:8d:89:41", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:11.181Z", + "sys_up_time_first": 3497355275, + "sys_up_time_last": 3497355275, + "ts": "2023-12-13T15:25:25.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:26.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_ancount": 4, + "dns_class": "1", + "dns_flags": "0", + "dns_host": "HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local", + "dns_host_class": "1", + "dns_host_raw": "4843545f363031312d3138316530306133306166362e5f74636e5f6571614843542e5f7463702e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "_tcn_eqaHCT._tcp.local", + "dns_opcode": "0", + "dns_qdcount": 2, + "dns_query": "HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local", + "dns_query_type": "16", + "dns_query_type_value": "TXT", + "dns_transaction_id": 0, + "dns_ttl": 4499, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:11.789Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713073671", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 657, + "src_bytes": 324, + "src_ip": "10.115.80.208", + "src_mac": "00:1d:ac:45:34:00", + "src_packets": 2, + "src_port": 5353, + "start_time": "2023-12-13T15:25:10.797Z", + "sys_up_time_first": 1349806091, + "sys_up_time_last": 813197323, + "ts": "2023-12-13T15:25:26.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:27.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-49197.local", + "dns_host_addr": "10.115.85.229", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d34393139372e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "b.d.2.6.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "229.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:12.781Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713074695", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 658, + "src_bytes": 255, + "src_ip": "10.115.85.229", + "src_mac": "00:50:56:94:62:db", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:12.781Z", + "sys_up_time_first": 276588555, + "sys_up_time_last": 276588555, + "ts": "2023-12-13T15:25:27.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:27.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 9, + "dns_flags": "33792", + "dns_host": "systest-virtual-machine-557152.local", + "dns_host_addr": "10.115.84.167", + "dns_host_type": "A", + "dns_name": "systest-virtual-machine-557152.local", + "dns_qdcount": 0, + "dns_reply_code": "0", + "dns_reply_code_value": "No Error", + "dns_response_time": 3.412379, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:27.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:27.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 400, + "dns_name": "_", + "dns_qdcount": 2, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:27.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:28.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 27, + "dns_name": "systest-virtual-machine-552999.local", + "dns_qdcount": 0, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:28.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:28.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 19, + "dns_host": "gigamon_8b6c6e-3513b246ab72._tcn_ABCD99995._tcp.local", + "dns_host_type": "PTR", + "dns_name": "_tcn_ABCD99995._tcp.local", + "dns_qdcount": 1, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:28.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:29.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-69816.local", + "dns_host_addr": "10.115.85.224", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d36393831362e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "7.2.2.7.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "224.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:15.037Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713079815", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 663, + "src_bytes": 255, + "src_ip": "10.115.85.224", + "src_mac": "00:50:56:94:72:27", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:15.037Z", + "sys_up_time_first": 3766773771, + "sys_up_time_last": 3766773771, + "ts": "2023-12-13T15:25:29.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:30.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-85507.local", + "dns_host_addr": "10.114.82.167", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38353530372e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "0.7.1.8.d.2.7.5.f.d.5.3.8.6.c.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "7.7.4.f.0.1.0.d.e.7.9.c.d.f.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:15.901Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713080839", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 664, + "src_bytes": 337, + "src_ip": "10.114.82.167", + "src_mac": "00:50:56:8d:d8:f7", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:15.901Z", + "sys_up_time_first": 1082681355, + "sys_up_time_last": 1082681355, + "ts": "2023-12-13T15:25:30.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:30.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-61351.local", + "dns_host_addr": "10.114.83.205", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d36313335312e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "3.d.9.2.5.4.0.b.9.1.8.8.2.1.0.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "2.7.8.c.f.f.6.2.a.5.8.1.2.3.4.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:15.917Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713081863", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 665, + "src_bytes": 335, + "src_ip": "10.114.83.205", + "src_mac": "00:50:56:9c:74:4e", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:15.917Z", + "sys_up_time_first": 1351116811, + "sys_up_time_last": 1351116811, + "ts": "2023-12-13T15:25:30.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:31.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-52270.local", + "dns_host_addr": "10.115.85.219", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d35323237302e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "8.c.4.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "219.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:17.229Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713082887", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 666, + "src_bytes": 255, + "src_ip": "10.115.85.219", + "src_mac": "00:50:56:94:d4:c8", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:17.229Z", + "sys_up_time_first": 1888315403, + "sys_up_time_last": 1888315403, + "ts": "2023-12-13T15:25:31.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:33.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 4979, + "app_name": "Unknown udp", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "10.115.83.43", + "dst_mac": "00:50:56:9d:d1:ff", + "dst_packets": 0, + "dst_port": 514, + "egress_intf_id": "0", + "end_reason": "2", + "end_reason_value": "Active Timeout", + "end_time": "2023-12-13T15:25:31.645Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713083911", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 667, + "src_bytes": 837334, + "src_ip": "10.115.83.37", + "src_mac": "00:50:56:b7:e4:a1", + "src_packets": 629, + "src_port": 23384, + "start_time": "2023-12-13T15:24:33.549Z", + "sys_up_time_first": 3504498443, + "sys_up_time_last": 3234162699, + "ts": "2023-12-13T15:25:33.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:35.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 9, + "dns_flags": "33792", + "dns_host": "systest-virtual-machine-552428.local", + "dns_host_addr": "10.115.84.155", + "dns_host_type": "A", + "dns_name": "systest-virtual-machine-552428.local", + "dns_qdcount": 0, + "dns_reply_code": "0", + "dns_reply_code_value": "No Error", + "dns_response_time": 3.520447, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:35.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:35.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-560412.local", + "dns_host_addr": "10.115.84.168", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3536303431322e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 5, + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:20.509Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713085959", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 669, + "src_bytes": 434, + "src_ip": "10.115.84.168", + "src_mac": "00:50:56:86:1f:d9", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:20.509Z", + "sys_up_time_first": 1083861003, + "sys_up_time_last": 1083861003, + "ts": "2023-12-13T15:25:35.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:35.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-627950.local", + "dns_host_addr": "10.115.84.154", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3632373935302e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 5, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:35.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:36.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-561372.local", + "dns_host_addr": "10.115.84.162", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3536313337322e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 5, + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:21.661Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713088007", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 671, + "src_bytes": 434, + "src_ip": "10.115.84.162", + "src_mac": "00:50:56:86:24:0a", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:21.661Z", + "sys_up_time_first": 3231606795, + "sys_up_time_last": 3231606795, + "ts": "2023-12-13T15:25:36.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:36.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-76620.local", + "dns_host_addr": "10.115.85.220", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d37363632302e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "9.7.c.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "220.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:21.469Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713089031", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 672, + "src_bytes": 255, + "src_ip": "10.115.85.220", + "src_mac": "00:50:56:94:dc:79", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:21.469Z", + "sys_up_time_first": 10381323, + "sys_up_time_last": 10381323, + "ts": "2023-12-13T15:25:36.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:36.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 4968, + "app_name": "Unknown tcp", + "device_inbound_interface": "0", + "dst_bytes": 28400, + "dst_ip": "10.115.83.73", + "dst_mac": "00:50:56:b7:a1:53", + "dst_packets": 197, + "dst_port": 22, + "egress_intf_id": "0", + "end_reason": "2", + "end_reason_value": "Active Timeout", + "end_time": "2023-12-13T15:25:36.605Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713090055", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 673, + "src_bytes": 18808, + "src_ip": "10.70.70.164", + "src_mac": "5c:31:92:40:19:7f", + "src_packets": 223, + "src_port": 50425, + "start_time": "2023-12-13T15:24:37.341Z", + "sys_up_time_first": 2700175115, + "sys_up_time_last": 551118859, + "ts": "2023-12-13T15:25:36.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:37.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-611134.local", + "dns_host_addr": "10.115.84.172", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3631313133342e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 5, + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:24:49.629Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713091079", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 674, + "src_bytes": 434, + "src_ip": "10.115.84.172", + "src_mac": "00:50:56:86:62:5f", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:24:49.629Z", + "sys_up_time_first": 2686543883, + "sys_up_time_last": 2686543883, + "ts": "2023-12-13T15:25:37.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:37.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-68644.local", + "dns_host_addr": "10.115.85.221", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d36383634342e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "0.c.b.3.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "221.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:01.501Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713092103", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 675, + "src_bytes": 510, + "src_ip": "10.115.85.221", + "src_mac": "00:50:56:94:3b:c0", + "src_packets": 2, + "src_port": 5353, + "start_time": "2023-12-13T15:24:41.469Z", + "sys_up_time_first": 3221317643, + "sys_up_time_last": 5269515, + "ts": "2023-12-13T15:25:37.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:37.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_opcode": "0", + "dns_qdcount": 2, + "dns_query": "_ipps._tcp.local", + "dns_query_type": "12", + "dns_query_type_value": "PTR", + "dns_transaction_id": 0, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:18.861Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713093127", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 676, + "src_bytes": 87, + "src_ip": "10.114.83.61", + "src_mac": "00:50:56:8d:fa:3e", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:18.861Z", + "sys_up_time_first": 3499321355, + "sys_up_time_last": 3499321355, + "ts": "2023-12-13T15:25:37.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:37.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "tg-91532.local", + "dns_host_addr": "10.114.83.75", + "dns_host_class": "1", + "dns_host_raw": "74672d39313533322e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "75.83.114.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_port": 5353, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ip_version": "4", + "protocol": "17", + "src_bytes": 753, + "src_ip": "10.114.83.75", + "src_mac": "00:50:56:8d:6a:4b", + "src_port": 5353, + "ts": "2023-12-13T15:25:37.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:37.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_host": "systest-virtual-machine-560195.local", + "dns_host_addr": "10.115.84.159", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_qdcount": 5, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:37.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:37.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-584015.local", + "dns_host_addr": "10.115.84.151", + "dns_host_class": "1", + "dns_host_type": "PTR", + "dns_name": "b.2.f.f.8.f.c.5.9.2.d.c.a.4.7.d.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:37.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 29, + "app_name": "dhcp", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "255.255.255.255", + "dst_mac": "ff:ff:ff:ff:ff:ff", + "dst_packets": 0, + "dst_port": 67, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:26.285Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713097223", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 680, + "src_bytes": 1400, + "src_ip": "0.0.0.0", + "src_mac": "00:50:56:99:05:df", + "src_packets": 4, + "src_port": 68, + "start_time": "2023-12-13T15:24:58.717Z", + "sys_up_time_first": 541419531, + "sys_up_time_last": 3501221899, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 3902, + "app_name": "vmware-client", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "10.115.83.4", + "dst_mac": "00:50:56:9f:7f:ff", + "dst_packets": 0, + "dst_port": 902, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:07.085Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713098247", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 681, + "src_bytes": 377, + "src_ip": "10.115.81.118", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_packets": 1, + "src_port": 43366, + "start_time": "2023-12-13T15:25:07.085Z", + "sys_up_time_first": 3496306699, + "sys_up_time_last": 3496306699, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 3902, + "app_name": "vmware-client", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "10.115.83.4", + "dst_mac": "00:50:56:9f:7f:ff", + "dst_packets": 0, + "dst_port": 902, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:17.085Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713099271", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 682, + "src_bytes": 377, + "src_ip": "10.115.81.118", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_packets": 1, + "src_port": 30490, + "start_time": "2023-12-13T15:25:17.085Z", + "sys_up_time_first": 3767298059, + "sys_up_time_last": 3767298059, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-85535.local", + "dns_host_addr": "10.114.82.166", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38353533352e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.5.8.e.b.0.0.d.e.d.b.f.f.5.a.8.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "6.7.e.b.f.9.e.f.c.6.7.b.f.4.5.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_port": 5353, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ip_version": "4", + "protocol": "17", + "src_bytes": 674, + "src_ip": "10.114.82.166", + "src_mac": "00:50:56:9c:b2:df", + "src_port": 5353, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 3414, + "app_name": "upnp", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "239.255.255.250", + "dst_mac": "01:00:5e:7f:ff:fa", + "dst_packets": 0, + "dst_port": 1900, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:25.437Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713101319", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 684, + "src_bytes": 868, + "src_ip": "10.115.83.20", + "src_mac": "00:50:56:b7:96:08", + "src_packets": 4, + "src_port": 49882, + "start_time": "2023-12-13T15:25:22.429Z", + "sys_up_time_first": 3231803403, + "sys_up_time_last": 2158848011, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-627875.local", + "dns_host_addr": "10.115.84.171", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3632373837352e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 5, + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:23.757Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713102343", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 685, + "src_bytes": 434, + "src_ip": "10.115.84.171", + "src_mac": "00:50:56:86:09:cc", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:23.757Z", + "sys_up_time_first": 4037437451, + "sys_up_time_last": 4037437451, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-83631.local", + "dns_host_addr": "10.114.82.162", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333633312e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "3.a.2.3.7.1.5.5.e.2.1.6.e.4.7.e.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "8.3.5.1.c.a.c.b.d.3.2.5.9.0.f.3.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:24.013Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713103367", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 686, + "src_bytes": 337, + "src_ip": "10.114.82.162", + "src_mac": "00:50:56:8d:32:1a", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:24.013Z", + "sys_up_time_first": 4037502987, + "sys_up_time_last": 4037502987, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 68, + "app_name": "https", + "device_inbound_interface": "0", + "dst_bytes": 388, + "dst_ip": "10.115.81.118", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "dst_packets": 1, + "dst_port": 443, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:25.693Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713104391", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 687, + "src_bytes": 399, + "src_ip": "10.115.83.4", + "src_mac": "00:50:56:9f:7f:ff", + "src_packets": 2, + "src_port": 50694, + "start_time": "2023-12-13T15:25:25.677Z", + "sys_up_time_first": 1890478091, + "sys_up_time_last": 2158913547, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 4962, + "app_name": "Unknown ssl", + "device_inbound_interface": "0", + "dst_bytes": 2335, + "dst_ip": "10.115.81.118", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "dst_packets": 8, + "dst_port": 9080, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:25.837Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713105415", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 688, + "src_bytes": 1533, + "src_ip": "10.115.83.4", + "src_mac": "00:50:56:9f:7f:ff", + "src_packets": 11, + "src_port": 60117, + "ssl_cipher_suite_id": "49200", + "ssl_cipher_suite_id_value": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "start_time": "2023-12-13T15:25:25.837Z", + "sys_up_time_first": 279930891, + "sys_up_time_last": 279930891, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "tg-92794.local", + "dns_host_addr": "10.114.82.17", + "dns_host_class": "1", + "dns_host_raw": "74672d39323739342e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "17.82.114.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:25.693Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713106439", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 689, + "src_bytes": 251, + "src_ip": "10.114.82.17", + "src_mac": "00:50:56:8d:26:ce", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:25.693Z", + "sys_up_time_first": 2158913547, + "sys_up_time_last": 2158913547, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_ancount": 6, + "dns_flags": "33792", + "dns_host": "tg-92967.local", + "dns_host_raw": "74672d39323936372e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 0, + "dns_reply_code": "0", + "dns_reply_code_value": "No Error", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "2", + "end_reason_value": "Active Timeout", + "end_time": "2023-12-13T15:25:25.693Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713107463", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 690, + "src_bytes": 924, + "src_ip": "10.114.83.110", + "src_mac": "00:50:56:99:d1:39", + "src_packets": 6, + "src_port": 5353, + "start_time": "2023-12-13T15:24:40.637Z", + "sys_up_time_first": 2164156171, + "sys_up_time_last": 2158913547, + "ts": "2023-12-13T15:25:40.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:23:59.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 29, + "app_name": "dhcp", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "255.255.255.255", + "dst_mac": "ff:ff:ff:ff:ff:ff", + "dst_packets": 0, + "dst_port": 67, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:23:44.910Z", + "generator": "gs_apps_appInst7_4237d0d0-8241-b4a1-b502-77f97421a2c6", + "id": "113836049853586439", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 3, + "src_bytes": 1400, + "src_ip": "0.0.0.0", + "src_mac": "00:50:56:99:05:df", + "src_packets": 4, + "src_port": 68, + "start_time": "2023-12-13T15:23:17.354Z", + "sys_up_time_first": 3962320642, + "sys_up_time_last": 2425894658, + "ts": "2023-12-13T15:23:59.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:41.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 3902, + "app_name": "vmware-client", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "10.115.83.4", + "dst_mac": "00:50:56:9f:7f:ff", + "dst_packets": 0, + "dst_port": 902, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:27.101Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713108487", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 691, + "src_bytes": 377, + "src_ip": "10.115.81.118", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_packets": 1, + "src_port": 15536, + "start_time": "2023-12-13T15:25:27.101Z", + "sys_up_time_first": 11823115, + "sys_up_time_last": 11823115, + "ts": "2023-12-13T15:25:41.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:41.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 27, + "dns_name": "systest-virtual", + "dns_qdcount": 0, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:41.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:41.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 9, + "dns_flags": "0 Gigam", + "dns_host": "systest-virtual-machine-110438.local", + "dns_host_addr": "10.115.84.157", + "dns_host_type": "AAAA", + "dns_name": "systest-virtual-machine-110438.local", + "dns_qdcount": 0, + "dns_reply_code": "0", + "dns_reply_code_value": "No Error", + "dns_response_time": 3.289977, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:41.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:43.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_host": "systest-virtual-machine-616359.local", + "dns_host_addr": "10.115.84.173", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_qdcount": 5, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:43.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:44.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-59500.local", + "dns_host_addr": "10.115.85.227", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d35393530302e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "0.a.d.2.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "227.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:29.565Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713112583", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 695, + "src_bytes": 255, + "src_ip": "10.115.85.227", + "src_mac": "00:50:56:94:2d:a0", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:29.565Z", + "sys_up_time_first": 2696767499, + "sys_up_time_last": 2696767499, + "ts": "2023-12-13T15:25:44.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:44.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-559605.local", + "dns_host_addr": "10.115.84.163", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3535393630352e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 5, + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:29.725Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713113607", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 696, + "src_bytes": 434, + "src_ip": "10.115.84.163", + "src_mac": "00:50:56:86:3d:da", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:29.725Z", + "sys_up_time_first": 1086220299, + "sys_up_time_last": 1086220299, + "ts": "2023-12-13T15:25:44.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:44.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 4962, + "app_name": "Unknown ssl", + "device_inbound_interface": "0", + "dst_bytes": 2985, + "dst_ip": "10.115.83.36", + "dst_mac": "00:50:56:b7:4d:72", + "dst_packets": 9, + "dst_port": 8889, + "egress_intf_id": "0", + "end_reason": "2", + "end_reason_value": "Active Timeout", + "end_time": "2023-12-13T15:24:55.053Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713114631", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 697, + "src_bytes": 2019, + "src_ip": "10.115.83.15", + "src_mac": "00:50:56:9f:ed:dc", + "src_packets": 12, + "src_port": 39252, + "ssl_cipher_suite_id": "4866", + "ssl_cipher_suite_id_value": "TLS_AES_256_GCM_SHA384", + "start_time": "2023-12-13T15:24:45.037Z", + "sys_up_time_first": 2953799691, + "sys_up_time_last": 3493226507, + "ts": "2023-12-13T15:25:44.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:45.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-83817.local", + "dns_host_addr": "10.114.82.101", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333831372e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:31.149Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713115655", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 698, + "src_bytes": 337, + "src_ip": "10.114.82.101", + "src_mac": "00:50:56:8d:89:41", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:31.149Z", + "sys_up_time_first": 3502467083, + "sys_up_time_last": 3502467083, + "ts": "2023-12-13T15:25:45.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:45.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "34179", + "dns_host": "hq1dc1.gigamon.com", + "dns_host_class": "1", + "dns_host_raw": "6871316463312e676967616d6f6e2e636f6d", + "dns_host_type": "SOA", + "dns_name": "115.10.in-addr.arpa", + "dns_opcode": "0", + "dns_qdcount": 1, + "dns_query": "43.83.115.10.in-addr.arpa", + "dns_query_type": "12", + "dns_query_type_value": "PTR", + "dns_reply_code": "3", + "dns_reply_code_value": "Non-Existent Domain", + "dns_response_time": 0.001563, + "dns_reverse_addr": "10.115.83.43", + "dns_transaction_id": 53887, + "dns_ttl": 3600, + "dst_bytes": 85, + "dst_ip": "10.115.83.36", + "dst_mac": "5c:31:92:40:19:7f", + "dst_packets": 1, + "dst_port": 59004, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:30.653Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713116679", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 699, + "src_bytes": 169, + "src_ip": "10.10.1.20", + "src_mac": "00:50:56:b7:4d:72", + "src_packets": 1, + "src_port": 53, + "start_time": "2023-12-13T15:25:30.637Z", + "sys_up_time_first": 3502336011, + "sys_up_time_last": 3770771467, + "ts": "2023-12-13T15:25:45.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:46.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 68, + "app_name": "https", + "device_inbound_interface": "0", + "dst_bytes": 59982, + "dst_ip": "10.115.81.118", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "dst_packets": 47, + "dst_port": 443, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:31.837Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713117703", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 700, + "src_bytes": 10482, + "src_ip": "10.115.83.4", + "src_mac": "00:50:56:9f:7f:ff", + "src_packets": 52, + "src_port": 54892, + "start_time": "2023-12-13T15:24:47.085Z", + "sys_up_time_first": 2954323979, + "sys_up_time_last": 2160486411, + "ts": "2023-12-13T15:25:46.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:46.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-57522.local", + "dns_host_addr": "10.115.85.228", + "dns_host_class": "1 Gi", + "dns_host_type": "PTR", + "dns_name": "f.1.2.3.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:46.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 17, + "dns_host": "systest-vir", + "dns_name": "systest-virtual-machine-549088.local", + "dns_qdcount": 0, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:47.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-81458.local", + "dns_host_addr": "10.114.82.169", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d3831", + "dns_host_type": "PTR", + "dns_name": "7.1.7.e.b.a.5.d.3.3.b.b.d.3.f.4.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:47.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-49198.local", + "dns_host_addr": "10.115.85.229", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d34393139382e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "b.d.2.6.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "229.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:32.669Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713121799", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 704, + "src_bytes": 255, + "src_ip": "10.115.85.229", + "src_mac": "00:50:56:94:62:db", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:32.669Z", + "sys_up_time_first": 3234424843, + "sys_up_time_last": 3234424843, + "ts": "2023-12-13T15:25:47.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 27, + "dns_name": "sys", + "dns_qdcount": 0, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:47.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 9, + "dns_flags": "33792", + "dns_host": "systest-virtual-machine-557153.local", + "dns_host_addr": "10.115.84.167", + "dns_host_type": "A", + "dns_name": "systest-virtual-machine-557153.local", + "dns_qdcount": 0, + "dns_reply_code": "0", + "dns_reply_code_value": "No Error", + "dns_response_time": 3.549374, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:47.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:48.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 9, + "dns_host": "systest-virtual-machine-553001.local", + "dns_host_addr": "10.115.84.166", + "dns_host_type": "A", + "dns_name": "systest-virtual-machine-553001.local", + "dns_qdcount": 0, + "dns_reply_code": "0", + "dns_reply_code_value": "No Error", + "dns_response_time": 3.440722, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:48.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:49.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-69817.local", + "dns_host_addr": "10.115.85.224", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d36393831372e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "7.2.2.7.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "224.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:34.941Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713125895", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 708, + "src_bytes": 255, + "src_ip": "10.115.85.224", + "src_mac": "00:50:56:94:72:27", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:34.941Z", + "sys_up_time_first": 2698143755, + "sys_up_time_last": 2698143755, + "ts": "2023-12-13T15:25:49.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:49.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 37, + "dns_arcount": 5, + "dns_host": "MyClust23._t", + "dns_name": "_tcn_eqaHCT._tcp.local", + "dns_qdcount": 2, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:49.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:49.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 27, + "dns_name": "systest-virtual-machine-551405.local", + "dns_qdcount": 0, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:49.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 4962, + "app_name": "Unknown ssl", + "device_inbound_interface": "0", + "dst_bytes": 2335, + "dst_ip": "10.115.81.118", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "dst_packets": 8, + "dst_port": 9080, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:35.821Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713128967", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 711, + "src_bytes": 1533, + "src_ip": "10.115.83.4", + "src_mac": "00:50:56:9f:7f:ff", + "src_packets": 11, + "src_port": 60895, + "ssl_cipher_suite_id": "49200", + "ssl_cipher_suite_id_value": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "start_time": "2023-12-13T15:25:35.821Z", + "sys_up_time_first": 282486795, + "sys_up_time_last": 282486795, + "ts": "2023-12-13T15:25:50.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "systest-virtual-machine-634804.local", + "dns_host_addr": "10.115.84.152", + "dns_host_class": "1", + "dns_host_raw": "737973746573742d7669727475616c2d6d616368696e652d3633343830342e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 5, + "dns_query": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:36.429Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713129991", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 712, + "src_bytes": 434, + "src_ip": "10.115.84.152", + "src_mac": "00:50:56:86:47:92", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:36.429Z", + "sys_up_time_first": 1893230603, + "sys_up_time_last": 1893230603, + "ts": "2023-12-13T15:25:50.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_host": "systest-virtual-machine-560119.local", + "dns_host_addr": "10.115.84.170", + "dns_host_type": "PTR", + "dns_name": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "dns_qdcount": 5, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:50.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-85508.local", + "dns_host_addr": "10.114.82.167", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38353530382e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "0.7.1.8.d.2.7.5.f.d.5.3.8.6.c.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "7.7.4.f.0.1.0.d.e.7.9.c.d.f.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:35.805Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713132039", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 714, + "src_bytes": 337, + "src_ip": "10.114.82.167", + "src_mac": "00:50:56:8d:d8:f7", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:35.805Z", + "sys_up_time_first": 14051339, + "sys_up_time_last": 14051339, + "ts": "2023-12-13T15:25:50.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:51.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 3902, + "app_name": "vmware-client", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "10.115.83.4", + "dst_mac": "00:50:56:9f:7f:ff", + "dst_packets": 0, + "dst_port": 902, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:37.101Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713133063", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 715, + "src_bytes": 377, + "src_ip": "10.115.81.118", + "src_mac": "0c:c4:7a:f8:0d:c4", + "src_packets": 1, + "src_port": 43599, + "start_time": "2023-12-13T15:25:37.101Z", + "sys_up_time_first": 282814475, + "sys_up_time_last": 282814475, + "ts": "2023-12-13T15:25:51.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:51.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "linux-52271.local", + "dns_host_addr": "10.115.85.219", + "dns_host_class": "1", + "dns_host_raw": "6c696e75782d35323237312e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "8.c.4.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 3, + "dns_query": "219.85.115.10.in-addr.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:37.149Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713134087", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 716, + "src_bytes": 255, + "src_ip": "10.115.85.219", + "src_mac": "00:50:56:94:d4:c8", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:37.149Z", + "sys_up_time_first": 1088120843, + "sys_up_time_last": 1088120843, + "ts": "2023-12-13T15:25:51.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:51.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-61352.local", + "dns_host_addr": "10.114.83.205", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d3631", + "dns_host_type": "PTR", + "dns_name": "3.d.9.2.5.4.0.b.9.1.8.8.2.1.0.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_transaction_id": 0, + "dns_ttl": 120, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:51.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:52.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 18, + "dns_host": "systest-virtual-machine-613736.local", + "dns_name": "systest-virtual-machine-613736.local", + "dns_qdcount": 0, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:52.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:52.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 4968, + "app_name": "Unknown tcp", + "device_inbound_interface": "0", + "dst_bytes": 286, + "dst_ip": "10.115.83.73", + "dst_mac": "00:50:56:b7:a1:53", + "dst_packets": 3, + "dst_port": 22, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:38.253Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713137159", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 719, + "src_bytes": 518, + "src_ip": "10.70.70.164", + "src_mac": "5c:31:92:40:19:7f", + "src_packets": 7, + "src_port": 50425, + "start_time": "2023-12-13T15:25:36.669Z", + "sys_up_time_first": 1624860683, + "sys_up_time_last": 2430560267, + "ts": "2023-12-13T15:25:52.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:52.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 27, + "dns_name": "sys", + "dns_qdcount": 0, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:52.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:52.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 4962, + "app_name": "Unknown ssl", + "device_inbound_interface": "0", + "dst_bytes": 2335, + "dst_ip": "10.115.81.118", + "dst_mac": "0c:c4:7a:f8:0d:c4", + "dst_packets": 8, + "dst_port": 9080, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:15.821Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713139207", + "intf_name": "0", + "ip_version": "4", + "protocol": "6", + "seq_num": 721, + "src_bytes": 1533, + "src_ip": "10.115.83.4", + "src_mac": "00:50:56:9f:7f:ff", + "src_packets": 11, + "src_port": 41529, + "ssl_cipher_suite_id": "49200", + "ssl_cipher_suite_id_value": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "start_time": "2023-12-13T15:25:15.821Z", + "sys_up_time_first": 4035405835, + "sys_up_time_last": 4035405835, + "ts": "2023-12-13T15:25:52.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:52.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 30, + "dns_host": "duo-test-cluster._tms_cluster._tcp.local", + "dns_host_type": "PTR", + "dns_name": "_tms_cluster._tcp.local", + "dns_qdcount": 1, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:52.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:52.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "dns_ancount": 40, + "dns_host": "eqaHCT._tms", + "dns_name": "_tcn_Suki-Cluster._tcp.local", + "dns_qdcount": 2, + "dns_transaction_id": 0, + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "ts": "2023-12-13T15:25:52.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:54.000Z", + "ecs": { + "version": "8.11.0" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_opcode": "0", + "dns_qdcount": 7, + "dns_query": "_webdav._tcp.local", + "dns_query_type": "12", + "dns_query_type_value": "PTR", + "dns_transaction_id": 0, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:40.285Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713142279", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 724, + "src_bytes": 247, + "src_ip": "10.115.82.8", + "src_mac": "00:50:56:a0:50:0d", + "src_packets": 2, + "src_port": 5353, + "start_time": "2023-12-13T15:25:39.533Z", + "sys_up_time_first": 2430887947, + "sys_up_time_last": 2162649099, + "ts": "2023-12-13T15:25:54.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-common-config.yml b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/gigamon/data_stream/ami/_dev/test/system/test-http-endpoint-config.yml b/packages/gigamon/data_stream/ami/_dev/test/system/test-http-endpoint-config.yml new file mode 100644 index 00000000000..423bb675ed4 --- /dev/null +++ b/packages/gigamon/data_stream/ami/_dev/test/system/test-http-endpoint-config.yml @@ -0,0 +1,11 @@ +service: gigamon-ami-http-endpoint +service_notify_signal: SIGHUP +input: http_endpoint +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9559 + preserve_original_event: true +assert: + hit_count: 8 diff --git a/packages/gigamon/data_stream/ami/agent/stream/http_endpoint.yml.hbs b/packages/gigamon/data_stream/ami/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..5a35bf6625d --- /dev/null +++ b/packages/gigamon/data_stream/ami/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,30 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +prefix: json +content_type: "" +{{#if secret_header}} +secret.header: {{secret_header}} +{{/if}} +{{#if secret_value}} +secret.value: {{secret_value}} +{{/if}} +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gigamon/data_stream/ami/elasticsearch/ingest_pipeline/default.yml b/packages/gigamon/data_stream/ami/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..13969ead3c1 --- /dev/null +++ b/packages/gigamon/data_stream/ami/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,866 @@ +--- +description: Pipeline for Gigamon Ami logs. +processors: + - set: + field: ecs.version + value: '8.11.0' + - rename: + field: json + target_field: gigamon.ami + if: ctx.json != null + tag: rename_json + + # process dates on base fields + - date: + field: gigamon.ami.ts + tag: date_gigamon_ami_ts + target_field: gigamon.ami.ts + formats: + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - ISO8601 + if: ctx.gigamon?.ami?.ts != null + on_failure: + - remove: + field: gigamon.ami.ts + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: gigamon.ami.start_time + target_field: gigamon.ami.start_time + tag: date_gigamon_ami_start_time + formats: + - 'yyyy:MM:dd HH:mm:ss.SSS' + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - ISO8601 + if: ctx.gigamon?.ami?.start_time != null + on_failure: + - remove: + field: gigamon.ami.start_time + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: gigamon.ami.end_time + target_field: gigamon.ami.end_time + tag: date_gigamon_ami_end_time + formats: + - 'yyyy:MM:dd HH:mm:ss.SSS' + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - ISO8601 + if: ctx.gigamon?.ami?.end_time != null + on_failure: + - remove: + field: gigamon.ami.end_time + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: gigamon.ami.ssl_validity_not_before + target_field: gigamon.ami.ssl_validity_not_before + tag: date_gigamon_ami_ssl_validity_not_before + formats: + - 'yyyy-MM-dd HH:mm:ss' + - ISO8601 + if: ctx.gigamon?.ami?.ssl_validity_not_before != null + on_failure: + - remove: + field: gigamon.ami.ssl_validity_not_before + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: gigamon.ami.ssl_validity_not_after + target_field: gigamon.ami.ssl_validity_not_after + tag: date_gigamon_ami_ssl_validity_not_after + formats: + - 'yyyy-MM-dd HH:mm:ss' + - ISO8601 + if: ctx.gigamon?.ami?.ssl_validity_not_after != null + on_failure: + - remove: + field: gigamon.ami.ssl_validity_not_after + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # set @timestamp from gigamon.ami.ts + - set: + field: '@timestamp' + copy_from: gigamon.ami.ts + ignore_empty_value: true + + # convert base fields to long + - convert: + field: gigamon.ami.seq_num + if: ctx.gigamon?.ami?.seq_num != null + tag: convert_seq_num + type: long + on_failure: + - remove: + field: gigamon.ami.seq_num + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.app_id + if: ctx.gigamon?.ami?.app_id != null + tag: convert_app_id + type: long + on_failure: + - remove: + field: gigamon.ami.app_id + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.sys_up_time_first + if: ctx.gigamon?.ami?.sys_up_time_first != null + tag: convert_sys_up_time_first + type: long + on_failure: + - remove: + field: gigamon.ami.sys_up_time_first + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.sys_up_time_last + if: ctx.gigamon?.ami?.sys_up_time_last != null + tag: convert_sys_up_time_last + type: long + on_failure: + - remove: + field: gigamon.ami.sys_up_time_last + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dst_bytes + if: ctx.gigamon?.ami?.dst_bytes != null + tag: convert_dst_bytes + type: long + on_failure: + - remove: + field: gigamon.ami.dst_bytes + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dst_packets + if: ctx.gigamon?.ami?.dst_packets != null + tag: convert_dst_packets + type: long + on_failure: + - remove: + field: gigamon.ami.dst_packets + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dst_port + if: ctx.gigamon?.ami?.dst_port != null + tag: convert_dst_port + type: long + on_failure: + - remove: + field: gigamon.ami.dst_port + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.src_bytes + if: ctx.gigamon?.ami?.src_bytes != null + tag: convert_src_bytes + type: long + on_failure: + - remove: + field: gigamon.ami.src_bytes + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.src_packets + if: ctx.gigamon?.ami?.src_packets != null + tag: convert_src_packets + type: long + on_failure: + - remove: + field: gigamon.ami.src_packets + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.src_port + if: ctx.gigamon?.ami?.src_port != null + tag: convert_src_port + type: long + on_failure: + - remove: + field: gigamon.ami.src_port + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # convert dns_ fields to long + - convert: + field: gigamon.ami.dns_qdcount + if: ctx.gigamon?.ami?.dns_qdcount != null + tag: convert_dns_qdcount + type: long + on_failure: + - remove: + field: gigamon.ami.dns_qdcount + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dns_transaction_id + if: ctx.gigamon?.ami?.dns_transaction_id != null + tag: convert_dns_transaction_id + type: long + on_failure: + - remove: + field: gigamon.ami.dns_transaction_id + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dns_ttl + if: ctx.gigamon?.ami?.dns_ttl != null + tag: convert_dns_ttl + type: long + on_failure: + - remove: + field: gigamon.ami.dns_ttl + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dns_ancount + if: ctx.gigamon?.ami?.dns_ancount != null + tag: convert_dns_ancount + type: long + on_failure: + - remove: + field: gigamon.ami.dns_ancount + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dns_arcount + if: ctx.gigamon?.ami?.dns_arcount != null + tag: convert_dns_arcount + type: long + # convert dns_ fields to ip + on_failure: + - remove: + field: gigamon.ami.dns_arcount + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dns_reverse_addr + if: ctx.gigamon?.ami?.dns_reverse_addr != null + tag: convert_dns_reverse_addr + type: ip + # convert dns_ fields to double + on_failure: + - remove: + field: gigamon.ami.dns_reverse_addr + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.dns_response_time + if: ctx.gigamon?.ami?.dns_response_time != null + tag: convert_dns_response_time + type: double + # convert http_ fields to long + on_failure: + - remove: + field: gigamon.ami.dns_response_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.http_code + if: ctx.gigamon?.ami?.http_code != null + tag: convert_http_code + type: long + on_failure: + - remove: + field: gigamon.ami.http_code + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.http_content_len + if: ctx.gigamon?.ami?.http_content_len != null + tag: convert_http_content_len + type: long + on_failure: + - remove: + field: gigamon.ami.http_content_len + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.http_request_size + if: ctx.gigamon?.ami?.http_request_size != null + tag: convert_http_request_size + type: long + on_failure: + - remove: + field: gigamon.ami.http_request_size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # convert ssl_ fields to long + - convert: + field: gigamon.ami.ssl_request_size + if: ctx.gigamon?.ami?.ssl_request_size != null + tag: convert_ssl_request_size + type: long + on_failure: + - remove: + field: gigamon.ami.ssl_request_size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.ssl_client_hello_extension_len + if: ctx.gigamon?.ami?.ssl_client_hello_extension_len != null + tag: convert_ssl_client_hello_extension_len + type: long + on_failure: + - remove: + field: gigamon.ami.ssl_client_hello_extension_len + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.ssl_server_hello_extension_len + if: ctx.gigamon?.ami?.ssl_server_hello_extension_len != null + tag: convert_ssl_server_hello_extension_len + type: long + on_failure: + - remove: + field: gigamon.ami.ssl_server_hello_extension_len + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.ssl_ext_sig_algorithms_len + if: ctx.gigamon?.ami?.ssl_ext_sig_algorithms_len != null + tag: convert_ssl_ext_sig_algorithms_len + type: long + on_failure: + - remove: + field: gigamon.ami.ssl_ext_sig_algorithms_len + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.ssl_certificate_subject_key_size + if: ctx.gigamon?.ami?.ssl_certificate_subject_key_size != null + tag: convert_ssl_certificate_subject_key_size + type: long + on_failure: + - remove: + field: gigamon.ami.ssl_certificate_subject_key_size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + description: Gigamon AMI lookup mappings + tag: script_lookup_mapping + if: ctx.gigamon?.ami != null + params: + end_reason: + "1": Idle Timeout + "2": Active Timeout + "3": End of Flow + "0": None + http_uri_path: + "*v1*": V1 + smb_version: + "1": SMB-V1 + "2": SMB-V2 + ssl_cipher_suite_id: + "47": + - TLS_RSA_WITH_AES_128_CBC_SHA + - AES128-SHA + "50": + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA + - DHE-DSS-AES128-SHA + "51": + - TLS_DHE_RSA_WITH_AES_128_CBC_SHA + - DHE-RSA-AES128-SHA + "52": + - TLS_DH_anon_WITH_AES_128_CBC_SHA + - ADH-AES128-SHA + "53": + - TLS_RSA_WITH_AES_256_CBC_SHA + - AES256-SHA + "56": + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA + - DHE-DSS-AES256-SHA + "57": + - TLS_DHE_RSA_WITH_AES_256_CBC_SHA + - DHE-RSA-AES256-SHA + "58": + - TLS_DH_anon_WITH_AES_256_CBC_SHA + - ADH-AES256-SHA + "65": + - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + - CAMELLIA128-SHA + "68": + - TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA + - DHE-DSS-CAMELLIA128-SHA + "69": + - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + - DHE-RSA-CAMELLIA128-SHA + "70": + - TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA + - ADH-CAMELLIA128-SHA + "108": + - TLS_DH_anon_WITH_AES_128_CBC_SHA256 + - ADH-AES128-SHA256 + "109": + - TLS_DH_anon_WITH_AES_256_CBC_SHA256 + - ADH-AES256-SHA256 + "132": + - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + - CAMELLIA256-SHA + "135": + - TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA + - DHE-DSS-CAMELLIA256-SHA + "136": + - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + - DHE-RSA-CAMELLIA256-SHA + "137": + - TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA + - ADH-CAMELLIA256-SHA + "138": + - TLS_PSK_WITH_RC4_128_SHA + - PSK-RC4-SHA + "139": + - TLS_PSK_WITH_3DES_EDE_CBC_SHA + - PSK-3DES-EDE-CBC-SHA + "140": + - TLS_PSK_WITH_AES_128_CBC_SHA + - PSK-AES128-CBC-SHA + "141": + - TLS_PSK_WITH_AES_256_CBC_SHA + - PSK-AES256-CBC-SHA + "150": + - TLS_RSA_WITH_SEED_CBC_SHA + - SEED-SHA + "153": + - TLS_DHE_DSS_WITH_SEED_CBC_SHA + - DHE-DSS-SEED-SHA + "154": + - TLS_DHE_RSA_WITH_SEED_CBC_SHA + - DHE-RSA-SEED-SHA + "155": + - TLS_DH_anon_WITH_SEED_CBC_SHA + - ADH-SEED-SHA + "156": + - TLS_RSA_WITH_AES_256_CBC_SHA + "166": + - TLS_DH_anon_WITH_AES_128_GCM_SHA256 + - ADH-AES128-GCM-SHA256 + "167": + - TLS_DH_anon_WITH_AES_256_GCM_SHA384 + - ADH-AES256-GCM-SHA384 + "4865": + - TLS_AES_128_GCM_SHA256 + "4866": + - TLS_AES_256_GCM_SHA384 + "19171": + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + "49153": + - TLS_ECDH_ECDSA_WITH_NULL_SHA + - ECDH-ECDSA-NULL-SHA + "49154": + - TLS_ECDH_ECDSA_WITH_RC4_128_SHA + - ECDH-ECDSA-RC4-SHA + "49155": + - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + - ECDH-ECDSA-DES-CBC3-SHA + "49156": + - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + - ECDH-ECDSA-AES128-SHA + "49157": + - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + - ECDH-ECDSA-AES256-SHA + "49158": + - TLS_ECDHE_ECDSA_WITH_NULL_SHA + - ECDHE-ECDSA-NULL-SHA + "49159": + - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + - ECDHE-ECDSA-RC4-SHA + "49160": + - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + - ECDHE-ECDSA-DES-CBC3-SHA + "49161": + - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + - ECDHE-ECDSA-AES128-SHA + "49162": + - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + - ECDHE-ECDSA-AES256-SHA + "49163": + - TLS_ECDH_RSA_WITH_NULL_SHA + - ECDH-RSA-NULL-SHA + "49164": + - TLS_ECDH_RSA_WITH_RC4_128_SHA + - ECDH-RSA-RC4-SHA + "49165": + - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + - ECDH-RSA-DES-CBC3-SHA + "49166": + - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + - ECDH-RSA-AES128-SHA + "49167": + - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + - ECDH-RSA-AES256-SHA + "49168": + - TLS_ECDHE_RSA_WITH_NULL_SHA + - ECDHE-RSA-NULL-SHA + "49169": + - TLS_ECDHE_RSA_WITH_RC4_128_SHA + - ECDHE-RSA-RC4-SHA + "49170": + - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + - ECDHE-RSA-DES-CBC3-SHA + "49171": + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + - ECDHE-RSA-AES128-SHA + "49172": + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + - ECDHE-RSA-AES256-SHA + "49173": + - TLS_ECDH_anon_WITH_NULL_SHA + - AECDH-NULL-SHA + "49174": + - TLS_ECDH_anon_WITH_RC4_128_SHA + - AECDH-RC4-SHA + "49175": + - TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA + - AECDH-DES-CBC3-SHA + "49176": + - TLS_ECDH_anon_WITH_AES_128_CBC_SHA + - AECDH-AES128-SHA + "49177": + - TLS_ECDH_anon_WITH_AES_256_CBC_SHA + - AECDH-AES256-SHA + "49178": + - TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA + - SRP-3DES-EDE-CBC-SHA + "49179": + - TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA + - SRP-RSA-3DES-EDE-CBC-SHA + "49180": + - TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA + - SRP-DSS-3DES-EDE-CBC-SHA + "49181": + - TLS_SRP_SHA_WITH_AES_128_CBC_SHA + - SRP-AES-128-CBC-SHA + "49182": + - TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA + - SRP-RSA-AES-128-CBC-SHA + "49183": + - TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA + - SRP-DSS-AES-128-CBC-SHA + "49184": + - TLS_SRP_SHA_WITH_AES_256_CBC_SHA + - SRP-AES-256-CBC-SHA + "49185": + - TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA + - SRP-RSA-AES-256-CBC-SHA + "49186": + - TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA + - SRP-DSS-AES-256-CBC-SHA + "49191": + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + "49192": + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + "49195": + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + "49196": + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + "49199": + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + "49200": + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + "52392": + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + "52393": + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + ssl_protocol_version: + "2": SSL_2_0 + "768": SSL_3_0 + "769": TLS_1_0 + "770": TLS_1_1 + "771": TLS_1_2 + "772": TLS_1_3 + ssl_ext_sig_algorithm_hash: + "0": None + "1": MD5 + "2": SHA1 + "3": SHA224 + "4": SHA256 + "5": SHA384 + "6": SHA512 + ssl_ext_sig_algorithm_scheme: + "1537": rsa_pkcs1_sha512 + "1027": ecdsa_secp256r1_sha256 + "257": MD5 RSA + "514": SHA1 DSA + "515": ecdsa_sha1 + "769": SHA224 RSA + "770": SHA224 DSA + "771": SHA224 ECDSA + "1025": rsa_pkcs1_sha256 + "1026": SHA256 DSA + "1281": rsa_pkcs1_sha384 + "1282": SHA384 DSA + "1283": ecdsa_secp384r1_sha384 + "1538": SHA512 DSA + "1539": ecdsa_secp521r1_sha512 + "2052": rsa_pss_rsae_sha256 + "2053": rsa_pss_rsae_sha384 + "2054": rsa_pss_rsae_sha512 + "2055": ed25519 + "2056": ed448 + "2057": rsa_pss_pss_sha256 + "2058": rsa_pss_pss_sha384 + "2059": rsa_pss_pss_sha512 + "2570": GREASE + "0": Anonymous + dns_query_type: + "1": A + "2": NS + "3": MD + "4": MF + "5": CNAME + "6": SOA + "7": MB + "8": MG + "9": MR + "10": "NULL" + "11": WKS + "12": PTR + "13": HINFO + "14": MINFO + "15": MX + "16": TXT + "17": RP + "18": AFSDB + "19": X25 + "20": ISDN + "21": RT + "22": NSAP + "23": NSAP-PTR + "24": SIG + "25": KEY + "26": PX + "27": GPOS + "28": AAAA + "29": LOC + "30": NXT + "31": EID + "32": NIMLOC + "33": SRV + "34": ATMA + "35": NAPTR + "36": KX + "37": CERT + "39": DNAME + "40": SINK + "41": OPT + "42": APL + "43": DS + "44": SSHFP + "45": IPSECKEY + "46": RRSIG + "47": NSEC + "48": DNSKEY + "49": DHCID + "50": NSEC3 + "51": NSEC3PARAM + "52": TLSA + "53": SMIMEA + "54": Unassigned + "55": HIP + "56": NINFO + "57": RKEY + "58": TALINK + "59": CDS + "60": CDNSKEY + "61": OPENPGPKEY + "62": CSYNC + "63": ZONEMD + "99": SPF + "100": UINFO + "101": UID + "102": GID + "103": UNSPEC + "104": NID + "105": L32 + "106": L64 + "107": LP + "108": EUI48 + "109": EUI64 + "249": TKEY + "250": TSIG + "251": IXFR + "252": AXFR + "253": MAILB + "254": MAILA + "255": "*" + "256": URI + "257": CAA + "258": AVC + "259": DOA + "260": AMTRELAY + "32768": TA + "32769": DLV + "-1L": unknown + dns_reply_code: + "0": No Error + "1": Format Error + "2": Server Failure + "3": Non-Existent Domain + "4": Not Implemented + "5": Query Refused + "6": Name Exists when it should not + "7": RR Set Exists when it should not + "8": RR Set that should exist does not + "9": Not Authorized + "10": Name not contained in zone + "11": DSO-TYPE Not Implemented + "16": Bad OPT Version + "17": Key not recognized + "18": Signature out of time window + "19": Bad TKEY Mode + "20": Duplicate key name + "21": Algorithm not supported + "22": Bad Truncation + "23": Bad/missing Server Cookie + "-1L": unknown + source: |- + // end_reason + if (ctx.gigamon.ami.end_reason != null) { + ctx.gigamon.ami.end_reason_value = params['end_reason'][ctx.gigamon.ami.end_reason]; + } + // http_uri_path + if (ctx.gigamon.ami.http_uri_path != null) { + ctx.gigamon.ami.http_uri_path_value = params['http_uri_path'][ctx.gigamon.ami.http_uri_path]; + } + // smb_version + if (ctx.gigamon.ami.smb_version != null) { + ctx.gigamon.ami.smb_version_value = params['smb_version'][ctx.gigamon.ami.smb_version]; + } + // ssl_cipher_suite_id + if (ctx.gigamon.ami.ssl_cipher_suite_id != null) { + ctx.gigamon.ami.ssl_cipher_suite_id_value = params['ssl_cipher_suite_id'][ctx.gigamon.ami.ssl_cipher_suite_id]; + } + // ssl_protocol_version + if (ctx.gigamon.ami.ssl_protocol_version != null) { + ctx.gigamon.ami.ssl_protocol_version_value = params['ssl_protocol_version'][ctx.gigamon.ami.ssl_protocol_version]; + } + // ssl_ext_sig_algorithm_hash + if (ctx.gigamon.ami.ssl_ext_sig_algorithm_hash != null) { + ctx.gigamon.ami.ssl_ext_sig_algorithm_hash_value = params['ssl_ext_sig_algorithm_hash'][ctx.gigamon.ami.ssl_ext_sig_algorithm_hash]; + } + // ssl_cipher_suite_id + if (ctx.gigamon.ami.ssl_cipher_suite_id != null) { + ctx.gigamon.ami.ssl_cipher_suite_id_value = params['ssl_cipher_suite_id'][ctx.gigamon.ami.ssl_cipher_suite_id][0]; + if (params['ssl_cipher_suite_id'][ctx.gigamon.ami.ssl_cipher_suite_id].size() > 1) { + ctx.gigamon.ami.ssl_cipher_suite_id_protocol = params['ssl_cipher_suite_id'][ctx.gigamon.ami.ssl_cipher_suite_id][1]; + } + } + // ssl_ext_sig_algorithm_scheme + if (ctx.gigamon.ami.ssl_ext_sig_algorithm_scheme != null) { + ctx.gigamon.ami.ssl_ext_sig_algorithm_scheme_value = params['ssl_ext_sig_algorithm_scheme'][ctx.gigamon.ami.ssl_ext_sig_algorithm_scheme]; + } + // dns_query_type + if (ctx.gigamon.ami.dns_query_type != null) { + ctx.gigamon.ami.dns_query_type_value = params['dns_query_type'][ctx.gigamon.ami.dns_query_type]; + } + // dns_reply_code + if (ctx.gigamon.ami.dns_reply_code != null) { + ctx.gigamon.ami.dns_reply_code_value = params['dns_reply_code'][ctx.gigamon.ami.dns_reply_code]; + } + - remove: + field: + - ts + - json + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + lang: painless + description: Drops null/empty values recursively. + tag: painless_remove_null + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); +on_failure: + - set: + field: error.message + value: >- + Processor '{{ _ingest.on_failure_processor_type }}' + {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/gigamon/data_stream/ami/fields/base-fields.yml b/packages/gigamon/data_stream/ami/fields/base-fields.yml new file mode 100644 index 00000000000..b12d0fbf376 --- /dev/null +++ b/packages/gigamon/data_stream/ami/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gigamon +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gigamon.ami diff --git a/packages/gigamon/data_stream/ami/fields/beats.yml b/packages/gigamon/data_stream/ami/fields/beats.yml new file mode 100644 index 00000000000..2d5ae254634 --- /dev/null +++ b/packages/gigamon/data_stream/ami/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/gigamon/data_stream/ami/fields/fields.yml b/packages/gigamon/data_stream/ami/fields/fields.yml new file mode 100644 index 00000000000..2f7fb4293b7 --- /dev/null +++ b/packages/gigamon/data_stream/ami/fields/fields.yml @@ -0,0 +1,263 @@ +- name: gigamon.ami + type: group + fields: + # base fields + - name: id + type: keyword + - name: seq_num + type: long + - name: app_id + type: long + - name: app_name + type: keyword + - name: ts + type: date + - name: vendor + type: keyword + - name: version + type: keyword + - name: generator + type: keyword + - name: protocol + type: keyword + - name: device_inbound_interface + type: keyword + - name: ip_version + type: keyword + - name: start_time + type: date + - name: end_time + type: date + - name: intf_name + type: keyword + - name: egress_intf_id + type: keyword + - name: sys_up_time_first + type: long + - name: sys_up_time_last + type: long + - name: end_reason + type: keyword + - name: end_reason_value + type: keyword + - name: eventType + type: keyword + - name: smb_version + type: keyword + - name: smb_version_value + type: keyword + # dst_ and src_ fields + - name: dst_mac + type: keyword + - name: dst_ip + type: ip + - name: dst_port + type: long + - name: dst_bytes + type: long + - name: dst_packets + type: long + - name: src_mac + type: keyword + - name: src_ip + type: ip + - name: src_port + type: long + - name: src_bytes + type: long + - name: src_packets + type: long + # dns_ fields + - name: dns_qdcount + type: long + - name: dns_transaction_id + type: long + - name: dns_name + type: keyword + - name: dns_host + type: keyword + - name: dns_host_addr + type: keyword + - name: dns_host_type + type: keyword + - name: dns_ttl + type: long + - name: dns_flags + type: keyword + - name: dns_opcode + type: keyword + - name: dns_class + type: keyword + - name: dns_host_class + type: keyword + - name: dns_host_raw + type: keyword + - name: dns_query + type: keyword + - name: dns_query_type + type: keyword + - name: dns_query_type_value + type: keyword + - name: dns_ancount + type: long + - name: dns_arcount + type: long + - name: dns_reply_code + type: keyword + - name: dns_reply_code_value + type: keyword + - name: dns_response_time + type: double + - name: dns_reverse_addr + type: ip + # http_ fields + - name: http_server + type: keyword + - name: http_uri + type: keyword + - name: http_uri_full + type: keyword + - name: http_mime_type + type: keyword + - name: http_server_agent + type: keyword + - name: http_rtt + type: keyword + - name: http_code + type: long + - name: http_content_len + type: long + - name: http_uri_path + type: keyword + - name: http_uri_path_value + type: keyword + - name: http_request_size + type: long + - name: http_host + type: keyword + - name: http_uri_decoded + type: keyword + - name: http_uri_path_decoded + type: keyword + - name: http_uri_raw + type: keyword + - name: http_content_type + type: keyword + - name: http_method + type: keyword + - name: http_version + type: keyword + - name: http_user_agent + type: keyword + # tcp_ fields + - name: tcp_flags + type: keyword + # ssl_ fields + - name: ssl_certif_md5 + type: keyword + - name: ssl_common_name + type: keyword + - name: ssl_issuer + type: keyword + - name: ssl_validity_not_before + type: date + - name: ssl_validity_not_after + type: date + - name: ssl_serial_number + type: keyword + - name: ssl_handshake_type + type: keyword + - name: ssl_organization_name + type: keyword + - name: ssl_request_size + type: long + - name: ssl_cipher_suite_id + type: keyword + - name: ssl_cipher_suite_id_value + type: keyword + - name: ssl_cipher_suite_id_protocol + type: keyword + - name: ssl_cipher_suite_list + type: keyword + - name: ssl_certif_sha1 + type: keyword + - name: ssl_content_type + type: keyword + - name: ssl_protocol_version + type: keyword + - name: ssl_protocol_version_value + type: keyword + - name: ssl_client_hello_extension_type + type: keyword + - name: ssl_server_hello_extension_type + type: keyword + - name: ssl_certificate_dn_subject + type: keyword + - name: ssl_certificate_subject_cn + type: keyword + - name: ssl_certificate_subject_l + type: keyword + - name: ssl_certificate_subject_st + type: keyword + - name: ssl_certificate_subject_o + type: keyword + - name: ssl_certificate_subject_ou + type: keyword + - name: ssl_certificate_subject_c + type: keyword + - name: ssl_certificate_dn_issuer + type: keyword + - name: ssl_certificate_issuer_cn + type: keyword + - name: ssl_certificate_issuer_l + type: keyword + - name: ssl_certificate_issuer_st + type: keyword + - name: ssl_certificate_issuer_o + type: keyword + - name: ssl_certificate_issuer_ou + type: keyword + - name: ssl_certificate_issuer_c + type: keyword + - name: ssl_client_hello_extension_len + type: long + - name: ssl_server_hello_extension_len + type: long + - name: ssl_nb_compression_methods + type: keyword + - name: ssl_compression_method + type: keyword + - name: ssl_ext_sig_algorithms_len + type: long + - name: ssl_ext_sig_algorithm_scheme + type: keyword + - name: ssl_ext_sig_algorithm_scheme_value + type: keyword + - name: ssl_ext_sig_algorithm_hash + type: keyword + - name: ssl_ext_sig_algorithm_hash_value + type: keyword + - name: ssl_ext_sig_algorithm_sig + type: keyword + - name: ssl_certificate_subject_key_algo_oid + type: keyword + - name: ssl_certificate_subject_key_size + type: long + - name: ssl_cert_extension_oid + type: keyword + - name: ssl_cert_ext_authority_key_id + type: keyword + - name: ssl_cert_ext_subject_key_id + type: keyword + - name: ssl_fingerprint_ja3 + type: keyword + - name: ssl_fingerprint_ja3s + type: keyword + - name: ssl_index + type: keyword + - name: ssl_session_id + type: keyword + - name: ssl_declassify_override + type: keyword + - name: ssl_signalization_override + type: keyword diff --git a/packages/gigamon/data_stream/ami/manifest.yml b/packages/gigamon/data_stream/ami/manifest.yml new file mode 100644 index 00000000000..a97387cda19 --- /dev/null +++ b/packages/gigamon/data_stream/ami/manifest.yml @@ -0,0 +1,63 @@ +title: Gigamon Application Metadata Intelligence (AMI) Logs +type: logs +streams: + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Gigamon Application Metadata Intelligence (AMI) Logs + description: Collect the Gigamon Application Metadata Attributes which is in json format via HTTP endpoint. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number to listen on. + multi: false + required: true + show_user: true + default: 9559 + - name: secret_header + type: text + title: Secret Header + description: The header to check for a specific value specified by `secret.value`. + required: false + show_user: false + secret: false + - name: secret_value + type: password + title: Secret Value + description: The secret stored in the header name specified by `secret.header`. + required: false + show_user: false + secret: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gigamon-ami + - name: preserve_original_event + type: bool + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original. + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve custom fields for all ECS mappings. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/gigamon/data_stream/ami/sample_event.json b/packages/gigamon/data_stream/ami/sample_event.json new file mode 100644 index 00000000000..c76dce4d679 --- /dev/null +++ b/packages/gigamon/data_stream/ami/sample_event.json @@ -0,0 +1,85 @@ +{ + "@timestamp": "2023-05-16T15:25:25.000Z", + "agent": { + "ephemeral_id": "0e2836eb-563d-4550-9858-6fc4af32480a", + "id": "931b4c56-94b9-481d-a440-a4d9f31c41fd", + "name": "elastic-agent-58986", + "type": "filebeat", + "version": "8.15.0" + }, + "data_stream": { + "dataset": "gigamon.ami", + "namespace": "16851", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "931b4c56-94b9-481d-a440-a4d9f31c41fd", + "snapshot": false, + "version": "8.15.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "gigamon.ami", + "ingested": "2024-08-23T10:00:41Z", + "original": "{\"app_id\":\"32\",\"app_name\":\"dns\",\"device_inbound_interface\":\"0\",\"dns_class\":\"1\",\"dns_flags\":\"0\",\"dns_host\":\"pnstrex-83816.local\",\"dns_host_addr\":\"10.114.82.101\",\"dns_host_class\":\"1\",\"dns_host_raw\":\"706e73747265782d38333831362e6c6f63616c\",\"dns_host_type\":\"PTR\",\"dns_name\":\"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa\",\"dns_opcode\":\"0\",\"dns_qdcount\":\"4\",\"dns_query\":\"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa\",\"dns_query_type\":\"255\",\"dns_transaction_id\":\"0\",\"dns_ttl\":\"120\",\"dst_bytes\":\"0\",\"dst_ip\":\"224.0.0.251\",\"dst_mac\":\"01:00:5e:00:00:fb\",\"dst_packets\":\"0\",\"dst_port\":\"5353\",\"egress_intf_id\":\"0\",\"end_reason\":\"1\",\"end_time\":\"2023:12:13 15:25:11.181\",\"generator\":\"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6\",\"id\":\"679408454713072647\",\"intf_name\":\"0\",\"ip_version\":\"4\",\"protocol\":\"17\",\"seq_num\":\"656\",\"src_bytes\":\"337\",\"src_ip\":\"10.114.82.101\",\"src_mac\":\"00:50:56:8d:89:41\",\"src_packets\":\"1\",\"src_port\":\"5353\",\"start_time\":\"2023:12:13 15:25:11.181\",\"sys_up_time_first\":\"3497355275\",\"sys_up_time_last\":\"3497355275\",\"ts\":\"Thu May 16 15:25:25 2023\",\"vendor\":\"Gigamon\",\"version\":\"6.5.00\"}" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-83816.local", + "dns_host_addr": "10.114.82.101", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333831362e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:11.181Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713072647", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 656, + "src_bytes": 337, + "src_ip": "10.114.82.101", + "src_mac": "00:50:56:8d:89:41", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:11.181Z", + "sys_up_time_first": 3497355275, + "sys_up_time_last": 3497355275, + "ts": "2023-05-16T15:25:25.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "input": { + "type": "http_endpoint" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "gigamon-ami" + ] +} \ No newline at end of file diff --git a/packages/gigamon/docs/README.md b/packages/gigamon/docs/README.md new file mode 100644 index 00000000000..00b25abf2cb --- /dev/null +++ b/packages/gigamon/docs/README.md @@ -0,0 +1,331 @@ +# Gigamon Integration + +Gigamon leverages deep packet inspection (DPI) to extract over 7500+ app related metadata attributes from the raw packets in the network. Gigamon Elastic Integration delivers intelligent security analytics and threat intelligence across the enterprise, and you get a single solution for attack detection, threat visibility, proactive hunting, and threat response. + +## Data streams + +The Gigamon integration currently provides a single +data stream: `ami`. + +## Requirements + +- Elastic Agent must be installed. +- You can install only one Elastic Agent per host. + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to +define, configure, and manage your agents in a central location. We recommend +using Fleet management because it makes the management and upgrade of your +agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent +locally on the system where it is installed. You are responsible for managing +and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or +standalone. Docker images for all versions of Elastic Agent are available +from the Elastic Docker registry, and we provide deployment manifests for +running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more +information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.12.0**. + + +### Setup + +## Gigamon setup + +To export data to Gigamon Elastic Integration. + +1. From Fabric Manager, Deploy an AMX node with traffic acquisition method as "Customer Orchestrated Source". + +2. Create an Monitoring Session with (Rep In ----> AMX ---> Rep Out). + + + +To add AMX application: + +1. Drag and drop Application Metadata Exporter from APPLICATIONS to the graphical workspace. The Application quick view appears. +2. Enter the Alias for the application. Enter a port number for the Cloud Tool Ingestor Port. Then, click the Add button for Cloud Tool Exports. +3. You can export your Application Metadata Intelligence output to cloud tools. Enter the following details for the Cloud tool export in the Application quick view: + + -**Alias**:Enter the alias name for the cloud tool export. + + -**Cloud Tool**:Select the Cloud tool from the drop-down menu.If it is not available click "others". + + -**Endpoint**:Give the URL of the cloud tool instance with the correct port number in which the port is listening. + + -**Headers**:Enter the secret header and enable secure keys + + -**Enable Export**:Enable the box to export the Application Metadata Intelligence output in JSON format. + + -**Zip**:Enable the box to compress the output file. + + -**Interval**:The time interval (in seconds) in which the data should be uploaded periodically. The recommended minimum time interval is 10 seconds and the maximum time interval is 30 minutes. + + -**Parallel Writer**:Specifies the number of simultaneous JSON exports done. + + -**Export Retries**:The number of times the application tries to export the entries to Cloud Tool. The recommended minimum value is 4 and the maximum is 10. + + -**Maximum Entries**:The number of JSON entries in a file. The maximum number of allowed entries is 5000 and the minimum is 10, however 1000 is the default value. + + -**Labels**:Click Add. Enter the following details: + + o Enter the Key . + o Enter the Value. + + +4. Click Deploy to deploy the monitoring session. The Select nodes to deploy the Monitoring Session dialog box appears. Select the GigaVUE V Series Node for which you wish to deploy the monitoring session. +5. After selecting the V Series Node, select the interfaces for the REPs deployed in the monitoring session from the drop-down menu. Then, click Deploy. + +## Logs Reference + +### ami + +This is the `ami` dataset. + +#### Example + +An example event for `ami` looks as following: + +```json +{ + "@timestamp": "2023-05-16T15:25:25.000Z", + "agent": { + "ephemeral_id": "0e2836eb-563d-4550-9858-6fc4af32480a", + "id": "931b4c56-94b9-481d-a440-a4d9f31c41fd", + "name": "elastic-agent-58986", + "type": "filebeat", + "version": "8.15.0" + }, + "data_stream": { + "dataset": "gigamon.ami", + "namespace": "16851", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "931b4c56-94b9-481d-a440-a4d9f31c41fd", + "snapshot": false, + "version": "8.15.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "gigamon.ami", + "ingested": "2024-08-23T10:00:41Z", + "original": "{\"app_id\":\"32\",\"app_name\":\"dns\",\"device_inbound_interface\":\"0\",\"dns_class\":\"1\",\"dns_flags\":\"0\",\"dns_host\":\"pnstrex-83816.local\",\"dns_host_addr\":\"10.114.82.101\",\"dns_host_class\":\"1\",\"dns_host_raw\":\"706e73747265782d38333831362e6c6f63616c\",\"dns_host_type\":\"PTR\",\"dns_name\":\"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa\",\"dns_opcode\":\"0\",\"dns_qdcount\":\"4\",\"dns_query\":\"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa\",\"dns_query_type\":\"255\",\"dns_transaction_id\":\"0\",\"dns_ttl\":\"120\",\"dst_bytes\":\"0\",\"dst_ip\":\"224.0.0.251\",\"dst_mac\":\"01:00:5e:00:00:fb\",\"dst_packets\":\"0\",\"dst_port\":\"5353\",\"egress_intf_id\":\"0\",\"end_reason\":\"1\",\"end_time\":\"2023:12:13 15:25:11.181\",\"generator\":\"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6\",\"id\":\"679408454713072647\",\"intf_name\":\"0\",\"ip_version\":\"4\",\"protocol\":\"17\",\"seq_num\":\"656\",\"src_bytes\":\"337\",\"src_ip\":\"10.114.82.101\",\"src_mac\":\"00:50:56:8d:89:41\",\"src_packets\":\"1\",\"src_port\":\"5353\",\"start_time\":\"2023:12:13 15:25:11.181\",\"sys_up_time_first\":\"3497355275\",\"sys_up_time_last\":\"3497355275\",\"ts\":\"Thu May 16 15:25:25 2023\",\"vendor\":\"Gigamon\",\"version\":\"6.5.00\"}" + }, + "gigamon": { + "ami": { + "app_id": 32, + "app_name": "dns", + "device_inbound_interface": "0", + "dns_class": "1", + "dns_flags": "0", + "dns_host": "pnstrex-83816.local", + "dns_host_addr": "10.114.82.101", + "dns_host_class": "1", + "dns_host_raw": "706e73747265782d38333831362e6c6f63616c", + "dns_host_type": "PTR", + "dns_name": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa", + "dns_opcode": "0", + "dns_qdcount": 4, + "dns_query": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "dns_query_type": "255", + "dns_query_type_value": "*", + "dns_transaction_id": 0, + "dns_ttl": 120, + "dst_bytes": 0, + "dst_ip": "224.0.0.251", + "dst_mac": "01:00:5e:00:00:fb", + "dst_packets": 0, + "dst_port": 5353, + "egress_intf_id": "0", + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "end_time": "2023-12-13T15:25:11.181Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "679408454713072647", + "intf_name": "0", + "ip_version": "4", + "protocol": "17", + "seq_num": 656, + "src_bytes": 337, + "src_ip": "10.114.82.101", + "src_mac": "00:50:56:8d:89:41", + "src_packets": 1, + "src_port": 5353, + "start_time": "2023-12-13T15:25:11.181Z", + "sys_up_time_first": 3497355275, + "sys_up_time_last": 3497355275, + "ts": "2023-05-16T15:25:25.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "input": { + "type": "http_endpoint" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "gigamon-ami" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gigamon.ami.app_id | | long | +| gigamon.ami.app_name | | keyword | +| gigamon.ami.device_inbound_interface | | keyword | +| gigamon.ami.dns_ancount | | long | +| gigamon.ami.dns_arcount | | long | +| gigamon.ami.dns_class | | keyword | +| gigamon.ami.dns_flags | | keyword | +| gigamon.ami.dns_host | | keyword | +| gigamon.ami.dns_host_addr | | keyword | +| gigamon.ami.dns_host_class | | keyword | +| gigamon.ami.dns_host_raw | | keyword | +| gigamon.ami.dns_host_type | | keyword | +| gigamon.ami.dns_name | | keyword | +| gigamon.ami.dns_opcode | | keyword | +| gigamon.ami.dns_qdcount | | long | +| gigamon.ami.dns_query | | keyword | +| gigamon.ami.dns_query_type | | keyword | +| gigamon.ami.dns_query_type_value | | keyword | +| gigamon.ami.dns_reply_code | | keyword | +| gigamon.ami.dns_reply_code_value | | keyword | +| gigamon.ami.dns_response_time | | double | +| gigamon.ami.dns_reverse_addr | | ip | +| gigamon.ami.dns_transaction_id | | long | +| gigamon.ami.dns_ttl | | long | +| gigamon.ami.dst_bytes | | long | +| gigamon.ami.dst_ip | | ip | +| gigamon.ami.dst_mac | | keyword | +| gigamon.ami.dst_packets | | long | +| gigamon.ami.dst_port | | long | +| gigamon.ami.egress_intf_id | | keyword | +| gigamon.ami.end_reason | | keyword | +| gigamon.ami.end_reason_value | | keyword | +| gigamon.ami.end_time | | date | +| gigamon.ami.eventType | | keyword | +| gigamon.ami.generator | | keyword | +| gigamon.ami.http_code | | long | +| gigamon.ami.http_content_len | | long | +| gigamon.ami.http_content_type | | keyword | +| gigamon.ami.http_host | | keyword | +| gigamon.ami.http_method | | keyword | +| gigamon.ami.http_mime_type | | keyword | +| gigamon.ami.http_request_size | | long | +| gigamon.ami.http_rtt | | keyword | +| gigamon.ami.http_server | | keyword | +| gigamon.ami.http_server_agent | | keyword | +| gigamon.ami.http_uri | | keyword | +| gigamon.ami.http_uri_decoded | | keyword | +| gigamon.ami.http_uri_full | | keyword | +| gigamon.ami.http_uri_path | | keyword | +| gigamon.ami.http_uri_path_decoded | | keyword | +| gigamon.ami.http_uri_path_value | | keyword | +| gigamon.ami.http_uri_raw | | keyword | +| gigamon.ami.http_user_agent | | keyword | +| gigamon.ami.http_version | | keyword | +| gigamon.ami.id | | keyword | +| gigamon.ami.intf_name | | keyword | +| gigamon.ami.ip_version | | keyword | +| gigamon.ami.protocol | | keyword | +| gigamon.ami.seq_num | | long | +| gigamon.ami.smb_version | | keyword | +| gigamon.ami.smb_version_value | | keyword | +| gigamon.ami.src_bytes | | long | +| gigamon.ami.src_ip | | ip | +| gigamon.ami.src_mac | | keyword | +| gigamon.ami.src_packets | | long | +| gigamon.ami.src_port | | long | +| gigamon.ami.ssl_cert_ext_authority_key_id | | keyword | +| gigamon.ami.ssl_cert_ext_subject_key_id | | keyword | +| gigamon.ami.ssl_cert_extension_oid | | keyword | +| gigamon.ami.ssl_certif_md5 | | keyword | +| gigamon.ami.ssl_certif_sha1 | | keyword | +| gigamon.ami.ssl_certificate_dn_issuer | | keyword | +| gigamon.ami.ssl_certificate_dn_subject | | keyword | +| gigamon.ami.ssl_certificate_issuer_c | | keyword | +| gigamon.ami.ssl_certificate_issuer_cn | | keyword | +| gigamon.ami.ssl_certificate_issuer_l | | keyword | +| gigamon.ami.ssl_certificate_issuer_o | | keyword | +| gigamon.ami.ssl_certificate_issuer_ou | | keyword | +| gigamon.ami.ssl_certificate_issuer_st | | keyword | +| gigamon.ami.ssl_certificate_subject_c | | keyword | +| gigamon.ami.ssl_certificate_subject_cn | | keyword | +| gigamon.ami.ssl_certificate_subject_key_algo_oid | | keyword | +| gigamon.ami.ssl_certificate_subject_key_size | | long | +| gigamon.ami.ssl_certificate_subject_l | | keyword | +| gigamon.ami.ssl_certificate_subject_o | | keyword | +| gigamon.ami.ssl_certificate_subject_ou | | keyword | +| gigamon.ami.ssl_certificate_subject_st | | keyword | +| gigamon.ami.ssl_cipher_suite_id | | keyword | +| gigamon.ami.ssl_cipher_suite_id_protocol | | keyword | +| gigamon.ami.ssl_cipher_suite_id_value | | keyword | +| gigamon.ami.ssl_cipher_suite_list | | keyword | +| gigamon.ami.ssl_client_hello_extension_len | | long | +| gigamon.ami.ssl_client_hello_extension_type | | keyword | +| gigamon.ami.ssl_common_name | | keyword | +| gigamon.ami.ssl_compression_method | | keyword | +| gigamon.ami.ssl_content_type | | keyword | +| gigamon.ami.ssl_declassify_override | | keyword | +| gigamon.ami.ssl_ext_sig_algorithm_hash | | keyword | +| gigamon.ami.ssl_ext_sig_algorithm_hash_value | | keyword | +| gigamon.ami.ssl_ext_sig_algorithm_scheme | | keyword | +| gigamon.ami.ssl_ext_sig_algorithm_scheme_value | | keyword | +| gigamon.ami.ssl_ext_sig_algorithm_sig | | keyword | +| gigamon.ami.ssl_ext_sig_algorithms_len | | long | +| gigamon.ami.ssl_fingerprint_ja3 | | keyword | +| gigamon.ami.ssl_fingerprint_ja3s | | keyword | +| gigamon.ami.ssl_handshake_type | | keyword | +| gigamon.ami.ssl_index | | keyword | +| gigamon.ami.ssl_issuer | | keyword | +| gigamon.ami.ssl_nb_compression_methods | | keyword | +| gigamon.ami.ssl_organization_name | | keyword | +| gigamon.ami.ssl_protocol_version | | keyword | +| gigamon.ami.ssl_protocol_version_value | | keyword | +| gigamon.ami.ssl_request_size | | long | +| gigamon.ami.ssl_serial_number | | keyword | +| gigamon.ami.ssl_server_hello_extension_len | | long | +| gigamon.ami.ssl_server_hello_extension_type | | keyword | +| gigamon.ami.ssl_session_id | | keyword | +| gigamon.ami.ssl_signalization_override | | keyword | +| gigamon.ami.ssl_validity_not_after | | date | +| gigamon.ami.ssl_validity_not_before | | date | +| gigamon.ami.start_time | | date | +| gigamon.ami.sys_up_time_first | | long | +| gigamon.ami.sys_up_time_last | | long | +| gigamon.ami.tcp_flags | | keyword | +| gigamon.ami.ts | | date | +| gigamon.ami.vendor | | keyword | +| gigamon.ami.version | | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| tags | User defined tags. | keyword | + + diff --git a/packages/gigamon/img/App_Insights_Dashboard.png b/packages/gigamon/img/App_Insights_Dashboard.png new file mode 100644 index 00000000000..e3a95b290d4 Binary files /dev/null and b/packages/gigamon/img/App_Insights_Dashboard.png differ diff --git a/packages/gigamon/img/Identifier_Analysis_Dashboard.png b/packages/gigamon/img/Identifier_Analysis_Dashboard.png new file mode 100644 index 00000000000..5e6ede259ee Binary files /dev/null and b/packages/gigamon/img/Identifier_Analysis_Dashboard.png differ diff --git a/packages/gigamon/img/M21-31_Dashboard.png b/packages/gigamon/img/M21-31_Dashboard.png new file mode 100644 index 00000000000..6fcea4048d4 Binary files /dev/null and b/packages/gigamon/img/M21-31_Dashboard.png differ diff --git a/packages/gigamon/img/PCI_Compliance_Dashboard.png b/packages/gigamon/img/PCI_Compliance_Dashboard.png new file mode 100644 index 00000000000..2851c14bd60 Binary files /dev/null and b/packages/gigamon/img/PCI_Compliance_Dashboard.png differ diff --git a/packages/gigamon/img/Rogue_Activity_Dashboard.png b/packages/gigamon/img/Rogue_Activity_Dashboard.png new file mode 100644 index 00000000000..c709db26ef8 Binary files /dev/null and b/packages/gigamon/img/Rogue_Activity_Dashboard.png differ diff --git a/packages/gigamon/img/Security_Posture_Dashboard.png b/packages/gigamon/img/Security_Posture_Dashboard.png new file mode 100644 index 00000000000..096858cd739 Binary files /dev/null and b/packages/gigamon/img/Security_Posture_Dashboard.png differ diff --git a/packages/gigamon/img/Suspicious_Activity_Dashboard.png b/packages/gigamon/img/Suspicious_Activity_Dashboard.png new file mode 100644 index 00000000000..d9970a0d3d0 Binary files /dev/null and b/packages/gigamon/img/Suspicious_Activity_Dashboard.png differ diff --git a/packages/gigamon/img/Troubleshooting_Dashboard.png b/packages/gigamon/img/Troubleshooting_Dashboard.png new file mode 100644 index 00000000000..d9128f656f9 Binary files /dev/null and b/packages/gigamon/img/Troubleshooting_Dashboard.png differ diff --git a/packages/gigamon/img/gigamon-logo.svg b/packages/gigamon/img/gigamon-logo.svg new file mode 100644 index 00000000000..db203692085 --- /dev/null +++ b/packages/gigamon/img/gigamon-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb.json b/packages/gigamon/kibana/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb.json new file mode 100644 index 00000000000..d2cbef791d4 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb.json @@ -0,0 +1,2690 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [**PCI Compliance**](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "d3817a9d-43fa-4d42-ab96-6419f34baa2e", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "d3817a9d-43fa-4d42-ab96-6419f34baa2e", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-7c68c54d-62b4-49f1-8a13-f778321dd524", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7c68c54d-62b4-49f1-8a13-f778321dd524": { + "columnOrder": [ + "3afa4586-bf0f-4920-a49e-1a2da9e2ec78", + "7bada444-3bfe-4b3c-a5cf-f58cdcc0d5bb" + ], + "columns": { + "3afa4586-bf0f-4920-a49e-1a2da9e2ec78": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.ssl_protocol_version_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7bada444-3bfe-4b3c-a5cf-f58cdcc0d5bb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_protocol_version_value" + }, + "7bada444-3bfe-4b3c-a5cf-f58cdcc0d5bb": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "allowMultipleMetrics": false, + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 8, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorCode": "#e0cdd3", + "touched": true, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7c68c54d-62b4-49f1-8a13-f778321dd524", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "7bada444-3bfe-4b3c-a5cf-f58cdcc0d5bb" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3afa4586-bf0f-4920-a49e-1a2da9e2ec78" + ], + "secondaryGroups": [] + } + ], + "shape": "mosaic" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "9398dc6a-34e1-4932-a812-4aa0eb66c174", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "9398dc6a-34e1-4932-a812-4aa0eb66c174", + "title": "TLS Versions[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-5c045cd1-896d-4616-ab58-e438179a1271", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c045cd1-896d-4616-ab58-e438179a1271": { + "columnOrder": [ + "c2881bde-6dda-4c4f-a651-01a6275a118b", + "532096e0-c3f5-45dd-8913-681d0c7e4b56" + ], + "columns": { + "532096e0-c3f5-45dd-8913-681d0c7e4b56": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c2881bde-6dda-4c4f-a651-01a6275a118b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.ssl_cipher_suite_id_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "532096e0-c3f5-45dd-8913-681d0c7e4b56", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_cipher_suite_id_value" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "allowMultipleMetrics": false, + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#dbcdb4", + "touched": false, + "type": "colorCode" + }, + { + "colorIndex": 2, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + }, + { + "colorCode": "#453b08", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "5c045cd1-896d-4616-ab58-e438179a1271", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "532096e0-c3f5-45dd-8913-681d0c7e4b56" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "c2881bde-6dda-4c4f-a651-01a6275a118b" + ], + "secondaryGroups": [] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "dff9d72d-84a2-485f-895f-d41ceb25b537", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "dff9d72d-84a2-485f-895f-d41ceb25b537", + "title": "Weak Ciphers[Gigamon CIM]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-b41c5eb7-b859-49fd-98e0-3f44e409b57e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b41c5eb7-b859-49fd-98e0-3f44e409b57e": { + "columnOrder": [ + "6a26cd13-29eb-44cb-bdfa-3f76a1b033c6", + "6cf31472-45a3-4507-b97b-3cbec1f54206" + ], + "columns": { + "6a26cd13-29eb-44cb-bdfa-3f76a1b033c6": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of gigamon.ami.app_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "http", + "http2", + "https" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6cf31472-45a3-4507-b97b-3cbec1f54206", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "6cf31472-45a3-4507-b97b-3cbec1f54206": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6cf31472-45a3-4507-b97b-3cbec1f54206" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "b41c5eb7-b859-49fd-98e0-3f44e409b57e", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "6a26cd13-29eb-44cb-bdfa-3f76a1b033c6", + "yConfig": [ + { + "color": "#5e2141", + "forAccessor": "6cf31472-45a3-4507-b97b-3cbec1f54206" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "09fe9c07-9113-427b-9c1d-c50defd14c0a", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "09fe9c07-9113-427b-9c1d-c50defd14c0a", + "title": "Web Traffic[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-f00fe1d2-0b00-4926-ba8b-50f5098b4aec", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f00fe1d2-0b00-4926-ba8b-50f5098b4aec": { + "columnOrder": [ + "23d833e9-3564-4a0b-933e-9a1c4ef14e4c", + "02376fc5-57ae-4829-ad13-300c578fbfbe" + ], + "columns": { + "02376fc5-57ae-4829-ad13-300c578fbfbe": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "23d833e9-3564-4a0b-933e-9a1c4ef14e4c": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of gigamon.ami.ssl_ext_sig_algorithm_hash_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02376fc5-57ae-4829-ad13-300c578fbfbe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_ext_sig_algorithm_hash_value" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "02376fc5-57ae-4829-ad13-300c578fbfbe" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f00fe1d2-0b00-4926-ba8b-50f5098b4aec", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "23d833e9-3564-4a0b-933e-9a1c4ef14e4c", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "02376fc5-57ae-4829-ad13-300c578fbfbe" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Lookout for MD5 and SHA1", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4b26f1c1-a5e3-4373-801a-9606d43da277", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "4b26f1c1-a5e3-4373-801a-9606d43da277", + "title": "Cryptographic Hash[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-d38e1fb2-0496-472a-82f2-7c88d7f947d4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d38e1fb2-0496-472a-82f2-7c88d7f947d4": { + "columnOrder": [ + "45c2b897-c01e-4a17-a21a-cb7505e403d6", + "bbb57ed4-9a2a-4daf-9938-ca701d68fe2a" + ], + "columns": { + "45c2b897-c01e-4a17-a21a-cb7505e403d6": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.ssl_ext_sig_algorithm_scheme_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bbb57ed4-9a2a-4daf-9938-ca701d68fe2a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_ext_sig_algorithm_scheme_value" + }, + "bbb57ed4-9a2a-4daf-9938-ca701d68fe2a": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 8, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 1, + "paletteId": "neutral", + "touched": true, + "type": "categorical" + }, + { + "colorCode": "#2c8ee7", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "d38e1fb2-0496-472a-82f2-7c88d7f947d4", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "bbb57ed4-9a2a-4daf-9938-ca701d68fe2a" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "45c2b897-c01e-4a17-a21a-cb7505e403d6" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e35868f4-1c6e-4eff-a933-08884a7fc300", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "e35868f4-1c6e-4eff-a933-08884a7fc300", + "title": " Key Exchange Protocols[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-a267cd60-3767-4e26-8b44-4761dd601e16", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "c001313b-a4ee-4ec8-91bb-e412b3bbe5d2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a267cd60-3767-4e26-8b44-4761dd601e16": { + "columnOrder": [ + "1ae3f675-9720-45ac-9f42-43be896a768f" + ], + "columns": { + "1ae3f675-9720-45ac-9f42-43be896a768f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Certificates Expired", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.ssl_validity_not_after", + "index": "c001313b-a4ee-4ec8-91bb-e412b3bbe5d2", + "key": "gigamon.ami.ssl_validity_not_after", + "negate": false, + "params": { + "lt": "2024-08-01T00:00:00.000+05:30" + }, + "type": "range", + "value": { + "lt": "2024-08-01T00:00:00.000+05:30" + } + }, + "query": { + "range": { + "gigamon.ami.ssl_validity_not_after": { + "lt": "2024-08-01T00:00:00.000+05:30" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "accessor": "1ae3f675-9720-45ac-9f42-43be896a768f", + "colorMode": "Background", + "layerId": "a267cd60-3767-4e26-8b44-4761dd601e16", + "layerType": "data", + "palette": { + "name": "status", + "params": { + "continuity": "all", + "maxSteps": 5, + "name": "status", + "progression": "fixed", + "rangeMax": 70.5, + "rangeMin": 0, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#209280", + "stop": 0 + }, + { + "color": "#d6bf57", + "stop": 31.33 + }, + { + "color": "#cc5642", + "stop": 62.66 + } + ] + }, + "type": "palette" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "039714a2-0b5f-4ce1-aea0-35887146d978", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "039714a2-0b5f-4ce1-aea0-35887146d978", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-f8c599bc-4580-4a39-a5fa-1cc2a68260d7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f8c599bc-4580-4a39-a5fa-1cc2a68260d7": { + "columnOrder": [ + "5b513fb1-7f19-4f04-b85f-e5b7f9ccc7ed", + "4f062c03-a3df-4b2c-bbfb-184f1899ae46", + "2008e32d-421d-41ce-8daa-747b57a1fe35", + "27dcd775-b0c5-4805-9670-6780d019d83f", + "ff65ac60-8d9b-41fe-b63e-1260aa77b113", + "c9c8b223-bffd-4990-bb41-9aa56a0ebbb7" + ], + "columns": { + "2008e32d-421d-41ce-8daa-747b57a1fe35": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Server ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ff65ac60-8d9b-41fe-b63e-1260aa77b113", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "27dcd775-b0c5-4805-9670-6780d019d83f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ff65ac60-8d9b-41fe-b63e-1260aa77b113", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "4f062c03-a3df-4b2c-bbfb-184f1899ae46": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Issuer", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ff65ac60-8d9b-41fe-b63e-1260aa77b113", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_issuer" + }, + "5b513fb1-7f19-4f04-b85f-e5b7f9ccc7ed": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Common Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ff65ac60-8d9b-41fe-b63e-1260aa77b113", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_common_name" + }, + "c9c8b223-bffd-4990-bb41-9aa56a0ebbb7": { + "customLabel": true, + "dataType": "date", + "isBucketed": false, + "label": "Expiration Time", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.ssl_validity_not_after" + }, + "ff65ac60-8d9b-41fe-b63e-1260aa77b113": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "ff65ac60-8d9b-41fe-b63e-1260aa77b113", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "c9c8b223-bffd-4990-bb41-9aa56a0ebbb7", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "5b513fb1-7f19-4f04-b85f-e5b7f9ccc7ed", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "4f062c03-a3df-4b2c-bbfb-184f1899ae46", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "2008e32d-421d-41ce-8daa-747b57a1fe35", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "27dcd775-b0c5-4805-9670-6780d019d83f", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "f8c599bc-4580-4a39-a5fa-1cc2a68260d7", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "846e11e1-efc8-4311-88a7-cadb7aca1ad4", + "w": 24, + "x": 0, + "y": 51 + }, + "panelIndex": "846e11e1-efc8-4311-88a7-cadb7aca1ad4", + "title": "TLS Certificate Validity Details[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-e6f6eaaa-bde7-4b77-a5a3-2cbdc2449a35", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e6f6eaaa-bde7-4b77-a5a3-2cbdc2449a35": { + "columnOrder": [ + "69512011-8f1d-4522-a596-baca152b5e8a", + "8595817d-f7a0-4f87-b056-87af947e684b" + ], + "columns": { + "69512011-8f1d-4522-a596-baca152b5e8a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.app_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": true, + "missingBucket": false, + "orderBy": { + "columnId": "8595817d-f7a0-4f87-b056-87af947e684b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "8595817d-f7a0-4f87-b056-87af947e684b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of gigamon.ami.app_name", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "8595817d-f7a0-4f87-b056-87af947e684b" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "e6f6eaaa-bde7-4b77-a5a3-2cbdc2449a35", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "69512011-8f1d-4522-a596-baca152b5e8a", + "yConfig": [ + { + "color": "#8529e8", + "forAccessor": "8595817d-f7a0-4f87-b056-87af947e684b" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a7f83583-f83e-41fb-bce5-fd13fc774a8f", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "a7f83583-f83e-41fb-bce5-fd13fc774a8f", + "title": "Application Overview[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-fd16c376-c72d-484f-b22d-b1e48d9806c1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "fd16c376-c72d-484f-b22d-b1e48d9806c1": { + "columnOrder": [ + "476e243b-d175-4f93-80da-279b1a84e88a", + "1d98ba0b-1344-43f0-95a6-6fd92945b4c6", + "b7ef20e6-a37c-4a14-850e-b5dc9a68550f", + "3f68b672-8f26-4237-b7bd-8084a4cdf3fc", + "be934f0b-63f0-4f45-bc1d-b5dcf0ecd86e" + ], + "columns": { + "1d98ba0b-1344-43f0-95a6-6fd92945b4c6": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "be934f0b-63f0-4f45-bc1d-b5dcf0ecd86e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "3f68b672-8f26-4237-b7bd-8084a4cdf3fc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Applications", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "be934f0b-63f0-4f45-bc1d-b5dcf0ecd86e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "476e243b-d175-4f93-80da-279b1a84e88a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Deprecated SSL versions", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "SSL_2_0", + "SSL_3_0" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "be934f0b-63f0-4f45-bc1d-b5dcf0ecd86e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_protocol_version_value" + }, + "b7ef20e6-a37c-4a14-850e-b5dc9a68550f": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destinaon ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "be934f0b-63f0-4f45-bc1d-b5dcf0ecd86e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "be934f0b-63f0-4f45-bc1d-b5dcf0ecd86e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "476e243b-d175-4f93-80da-279b1a84e88a" + }, + { + "columnId": "be934f0b-63f0-4f45-bc1d-b5dcf0ecd86e" + }, + { + "columnId": "1d98ba0b-1344-43f0-95a6-6fd92945b4c6", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "b7ef20e6-a37c-4a14-850e-b5dc9a68550f", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "3f68b672-8f26-4237-b7bd-8084a4cdf3fc", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "fd16c376-c72d-484f-b22d-b1e48d9806c1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ca21225a-3af7-4bc9-8602-433089592d5f", + "w": 24, + "x": 0, + "y": 66 + }, + "panelIndex": "ca21225a-3af7-4bc9-8602-433089592d5f", + "title": "Sessions using Old SSL Versions - Applications, Servers and Clients using deprecated and risky SSL versions[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Insecure Protocol/Service/Port**\n\nServices, protocols, or ports that transmit data or authentication credentials (for example, password/passphrase) in clear-text over the Internet", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 6, + "i": "4f971a25-e30d-4550-b820-55678e388ee0", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "4f971a25-e30d-4550-b820-55678e388ee0", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-a82f90ee-acf4-4ff5-899f-a5e07ae82bf7", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "d8152df4-c3d5-4e93-ac0d-9d13a3cd834e", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "088f2453-2e6e-4f79-adf6-f3ee0d498e49", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "14efcd52-a120-4efe-8502-da61db173619", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a82f90ee-acf4-4ff5-899f-a5e07ae82bf7": { + "columnOrder": [ + "ee8cfc7c-9f39-4dad-a28d-99d1dfdf350b" + ], + "columns": { + "ee8cfc7c-9f39-4dad-a28d-99d1dfdf350b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Non Standard ports", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "d8152df4-c3d5-4e93-ac0d-9d13a3cd834e", + "key": "gigamon.ami.app_name", + "negate": false, + "params": { + "query": "ssh" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "gigamon.ami.app_name": "ssh" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "088f2453-2e6e-4f79-adf6-f3ee0d498e49", + "key": "gigamon.ami.dst_port", + "negate": true, + "params": { + "query": 22 + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "gigamon.ami.dst_port": 22 + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.src_port", + "index": "14efcd52-a120-4efe-8502-da61db173619", + "key": "gigamon.ami.src_port", + "negate": true, + "params": { + "query": "22" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "gigamon.ami.src_port": "22" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "accessor": "ee8cfc7c-9f39-4dad-a28d-99d1dfdf350b", + "colorMode": "Background", + "layerId": "a82f90ee-acf4-4ff5-899f-a5e07ae82bf7", + "layerType": "data", + "palette": { + "name": "temperature", + "params": { + "continuity": "above", + "maxSteps": 5, + "name": "temperature", + "progression": "fixed", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#6092c0", + "stop": 0 + }, + { + "color": "#ebeff5", + "stop": 0 + }, + { + "color": "#e7664c", + "stop": 0 + } + ] + }, + "type": "palette" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2f77e26f-85cf-47aa-a467-4886a34a6845", + "w": 24, + "x": 0, + "y": 81 + }, + "panelIndex": "2f77e26f-85cf-47aa-a467-4886a34a6845", + "title": "SSH Sessions[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-707db7dc-7bda-4553-b9a6-cbeba1925faf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "707db7dc-7bda-4553-b9a6-cbeba1925faf": { + "columnOrder": [ + "26f37cb3-6272-468b-b0bf-311911f4bad0", + "cdcb22ee-4be6-4a4c-a7e1-ef3f5be3892a" + ], + "columns": { + "26f37cb3-6272-468b-b0bf-311911f4bad0": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of gigamon.ami.app_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "ftp", + "telnet", + "pop3", + "imap", + "smb", + "snmp" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "cdcb22ee-4be6-4a4c-a7e1-ef3f5be3892a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "cdcb22ee-4be6-4a4c-a7e1-ef3f5be3892a": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "allowMultipleMetrics": false, + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 0, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + }, + { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "707db7dc-7bda-4553-b9a6-cbeba1925faf", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "cdcb22ee-4be6-4a4c-a7e1-ef3f5be3892a" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "26f37cb3-6272-468b-b0bf-311911f4bad0" + ], + "secondaryGroups": [] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e7ce60d7-9327-4d64-9ca1-6c814506375b", + "w": 24, + "x": 24, + "y": 81 + }, + "panelIndex": "e7ce60d7-9327-4d64-9ca1-6c814506375b", + "title": "Insecure protocols[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-9ad9bf45-e8a5-4971-a6d9-f10c483725bc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9ad9bf45-e8a5-4971-a6d9-f10c483725bc": { + "columnOrder": [ + "75858c01-5475-41bd-84bd-82668792cb6a", + "b2f71dd5-d176-4971-9644-7ed4a0b2104e" + ], + "columns": { + "75858c01-5475-41bd-84bd-82668792cb6a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of gigamon.ami.smb_version_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b2f71dd5-d176-4971-9644-7ed4a0b2104e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.smb_version_value" + }, + "b2f71dd5-d176-4971-9644-7ed4a0b2104e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b2f71dd5-d176-4971-9644-7ed4a0b2104e" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "9ad9bf45-e8a5-4971-a6d9-f10c483725bc", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "75858c01-5475-41bd-84bd-82668792cb6a", + "yConfig": [ + { + "color": "#64b354", + "forAccessor": "b2f71dd5-d176-4971-9644-7ed4a0b2104e" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3a4884cb-e0f3-4fef-9436-2f553afcfb87", + "w": 24, + "x": 0, + "y": 96 + }, + "panelIndex": "3a4884cb-e0f3-4fef-9436-2f553afcfb87", + "title": "SMB Version[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-eea40633-1ee7-46a8-88f2-fc96ea82626e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "eea40633-1ee7-46a8-88f2-fc96ea82626e": { + "columnOrder": [ + "5a7cf6af-299d-4f0a-a134-17bad74b1953", + "00304a89-1833-463e-be89-6878d80fdec6" + ], + "columns": { + "00304a89-1833-463e-be89-6878d80fdec6": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5a7cf6af-299d-4f0a-a134-17bad74b1953": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of gigamon.ami.http_version", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "00304a89-1833-463e-be89-6878d80fdec6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_version" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#eb1989", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#1f88e9", + "touched": true, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "eea40633-1ee7-46a8-88f2-fc96ea82626e", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "00304a89-1833-463e-be89-6878d80fdec6" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "5a7cf6af-299d-4f0a-a134-17bad74b1953" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "720a352e-155e-4a3e-87bf-86ddfb52061d", + "w": 24, + "x": 24, + "y": 96 + }, + "panelIndex": "720a352e-155e-4a3e-87bf-86ddfb52061d", + "title": "HTTP Version[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Track and monitor all access to network resources and cardholder data.\n\nLook for,\n\nPCI compliant devices talking to non-compliant devices", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 6, + "i": "12935e91-f37a-43b6-8016-ae205acc73fe", + "w": 24, + "x": 0, + "y": 111 + }, + "panelIndex": "12935e91-f37a-43b6-8016-ae205acc73fe", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-1a46766c-98d3-4c59-955f-ad248e69c09d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1a46766c-98d3-4c59-955f-ad248e69c09d": { + "columnOrder": [ + "188f2825-3960-4754-b596-55c5de7a3bcf", + "74e124f5-0892-4b20-9967-66f68cbfdfe8" + ], + "columns": { + "188f2825-3960-4754-b596-55c5de7a3bcf": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.dst_mac", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "74e124f5-0892-4b20-9967-66f68cbfdfe8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_mac" + }, + "74e124f5-0892-4b20-9967-66f68cbfdfe8": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#9f982b", + "touched": true, + "type": "colorCode" + }, + { + "colorCode": "#d18ba2", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#1546e5", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "1a46766c-98d3-4c59-955f-ad248e69c09d", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "74e124f5-0892-4b20-9967-66f68cbfdfe8" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "188f2825-3960-4754-b596-55c5de7a3bcf" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "16419820-6dc1-4bdb-aa34-9c80b2d1ad1e", + "w": 24, + "x": 24, + "y": 111 + }, + "panelIndex": "16419820-6dc1-4bdb-aa34-9c80b2d1ad1e", + "title": "Top Layer2 Devices[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-6df89022-0b31-47d3-b7b4-b39627957e1c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6df89022-0b31-47d3-b7b4-b39627957e1c": { + "columnOrder": [ + "aac2dc70-0b94-48fc-b76d-d59cd1a20125", + "c563d768-91e0-498b-9c13-5533ef6b6ef2", + "12675a8a-b1db-4f71-a1a0-1a806a18ef9e" + ], + "columns": { + "12675a8a-b1db-4f71-a1a0-1a806a18ef9e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "aac2dc70-0b94-48fc-b76d-d59cd1a20125": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "12675a8a-b1db-4f71-a1a0-1a806a18ef9e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "c563d768-91e0-498b-9c13-5533ef6b6ef2": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "12675a8a-b1db-4f71-a1a0-1a806a18ef9e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "aac2dc70-0b94-48fc-b76d-d59cd1a20125", + "isTransposed": false + }, + { + "columnId": "c563d768-91e0-498b-9c13-5533ef6b6ef2", + "isTransposed": false + }, + { + "columnId": "12675a8a-b1db-4f71-a1a0-1a806a18ef9e", + "isTransposed": false + } + ], + "layerId": "6df89022-0b31-47d3-b7b4-b39627957e1c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f97cff25-8a15-4598-9f82-e9ca97f22248", + "w": 24, + "x": 0, + "y": 117 + }, + "panelIndex": "f97cff25-8a15-4598-9f82-e9ca97f22248", + "title": "Top IP conversations[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] PCI Compliance", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:10:52.145Z", + "id": "gigamon-032aab7b-87b2-444c-8c86-956d092598fb", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9398dc6a-34e1-4932-a812-4aa0eb66c174:indexpattern-datasource-layer-7c68c54d-62b4-49f1-8a13-f778321dd524", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "dff9d72d-84a2-485f-895f-d41ceb25b537:indexpattern-datasource-layer-5c045cd1-896d-4616-ab58-e438179a1271", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "09fe9c07-9113-427b-9c1d-c50defd14c0a:indexpattern-datasource-layer-b41c5eb7-b859-49fd-98e0-3f44e409b57e", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "4b26f1c1-a5e3-4373-801a-9606d43da277:indexpattern-datasource-layer-f00fe1d2-0b00-4926-ba8b-50f5098b4aec", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e35868f4-1c6e-4eff-a933-08884a7fc300:indexpattern-datasource-layer-d38e1fb2-0496-472a-82f2-7c88d7f947d4", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "039714a2-0b5f-4ce1-aea0-35887146d978:indexpattern-datasource-layer-a267cd60-3767-4e26-8b44-4761dd601e16", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "039714a2-0b5f-4ce1-aea0-35887146d978:c001313b-a4ee-4ec8-91bb-e412b3bbe5d2", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "846e11e1-efc8-4311-88a7-cadb7aca1ad4:indexpattern-datasource-layer-f8c599bc-4580-4a39-a5fa-1cc2a68260d7", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a7f83583-f83e-41fb-bce5-fd13fc774a8f:indexpattern-datasource-layer-e6f6eaaa-bde7-4b77-a5a3-2cbdc2449a35", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "ca21225a-3af7-4bc9-8602-433089592d5f:indexpattern-datasource-layer-fd16c376-c72d-484f-b22d-b1e48d9806c1", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2f77e26f-85cf-47aa-a467-4886a34a6845:indexpattern-datasource-layer-a82f90ee-acf4-4ff5-899f-a5e07ae82bf7", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2f77e26f-85cf-47aa-a467-4886a34a6845:d8152df4-c3d5-4e93-ac0d-9d13a3cd834e", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2f77e26f-85cf-47aa-a467-4886a34a6845:088f2453-2e6e-4f79-adf6-f3ee0d498e49", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2f77e26f-85cf-47aa-a467-4886a34a6845:14efcd52-a120-4efe-8502-da61db173619", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e7ce60d7-9327-4d64-9ca1-6c814506375b:indexpattern-datasource-layer-707db7dc-7bda-4553-b9a6-cbeba1925faf", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "3a4884cb-e0f3-4fef-9436-2f553afcfb87:indexpattern-datasource-layer-9ad9bf45-e8a5-4971-a6d9-f10c483725bc", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "720a352e-155e-4a3e-87bf-86ddfb52061d:indexpattern-datasource-layer-eea40633-1ee7-46a8-88f2-fc96ea82626e", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "16419820-6dc1-4bdb-aa34-9c80b2d1ad1e:indexpattern-datasource-layer-1a46766c-98d3-4c59-955f-ad248e69c09d", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "f97cff25-8a15-4598-9f82-e9ca97f22248:indexpattern-datasource-layer-6df89022-0b31-47d3-b7b4-b39627957e1c", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d.json b/packages/gigamon/kibana/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d.json new file mode 100644 index 00000000000..b110a3fc64b --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d.json @@ -0,0 +1,1475 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-9653b636-06dc-4b98-9a58-fb3bef05ea56)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-e3307176-34e8-46b1-bb05-b215bfc6dfca)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-acd767db-d106-4a1b-ba2d-c515bdae97db)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [**Unsanctioned Peer to Peer Apps**](#?dashboard/3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "36ef0d2c-1832-496c-a861-414b4e57956f", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "36ef0d2c-1832-496c-a861-414b4e57956f", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "8cf2d322-d829-49e3-bc08-bbdf2bad8404", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "be43b3a9-77eb-4997-b0a3-2c7bf9642d91": { + "columnOrder": [ + "90da3763-1118-417f-8358-f431688df4d3", + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "columns": { + "90da3763-1118-417f-8358-f431688df4d3": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.app_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "8cf2d322-d829-49e3-bc08-bbdf2bad8404", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ], + "type": "phrases", + "value": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "edonkey" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "apple-airplay" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent-bundle" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gnutella" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "manolito" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "utorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet-pex" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "ares" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "imesh" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "directconnect" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "slsk" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 5, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 2, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 0, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "90da3763-1118-417f-8358-f431688df4d3" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a6bb8905-1429-48f4-afe0-8abe04458570", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "a6bb8905-1429-48f4-afe0-8abe04458570", + "title": "List of P2P Applications in your network[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "deddd9f4-b68e-4e4a-bac6-030cbf077d0d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "be43b3a9-77eb-4997-b0a3-2c7bf9642d91": { + "columnOrder": [ + "be25dbd2-192e-4f3d-bd7b-32b558b7eea6", + "06c8ecc9-ac2a-4869-8b59-7db0f0efb6c7", + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "columns": { + "06c8ecc9-ac2a-4869-8b59-7db0f0efb6c7": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "be25dbd2-192e-4f3d-bd7b-32b558b7eea6": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.app_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "deddd9f4-b68e-4e4a-bac6-030cbf077d0d", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ], + "type": "phrases", + "value": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "edonkey" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "apple-airplay" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent-bundle" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gnutella" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "manolito" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "utorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet-pex" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "ares" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "imesh" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "directconnect" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "slsk" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "elastic_brand_2023", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "be25dbd2-192e-4f3d-bd7b-32b558b7eea6", + "xAccessor": "06c8ecc9-ac2a-4869-8b59-7db0f0efb6c7" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e0bd8c6b-8b7a-44e0-b8ef-8c2814e00f57", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "e0bd8c6b-8b7a-44e0-b8ef-8c2814e00f57", + "title": "P2P Application traffic over time[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e162d9f3-10d5-403a-9800-0869a637ca55", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "be43b3a9-77eb-4997-b0a3-2c7bf9642d91": { + "columnOrder": [ + "0911ac8a-1ec9-4437-9594-0e2bd1e86088", + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "columns": { + "0911ac8a-1ec9-4437-9594-0e2bd1e86088": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.src_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "e162d9f3-10d5-403a-9800-0869a637ca55", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ], + "type": "phrases", + "value": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "edonkey" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "apple-airplay" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent-bundle" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gnutella" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "manolito" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "utorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet-pex" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "ares" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "imesh" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "directconnect" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "slsk" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 0, + "paletteId": "elastic_brand_2023", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 1, + "paletteId": "elastic_brand_2023", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 2, + "paletteId": "elastic_brand_2023", + "touched": false, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "elastic_brand_2023", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0911ac8a-1ec9-4437-9594-0e2bd1e86088" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "1ab105d2-cd65-497f-9dec-eca0022b4dab", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "1ab105d2-cd65-497f-9dec-eca0022b4dab", + "title": "Top P2P Sources[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "4e115414-3b37-4d6a-a7d3-909dd2bbd10d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "be43b3a9-77eb-4997-b0a3-2c7bf9642d91": { + "columnOrder": [ + "743571a7-eb16-414a-9661-6b9c463baf93", + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "columns": { + "743571a7-eb16-414a-9661-6b9c463baf93": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.dst_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "4e115414-3b37-4d6a-a7d3-909dd2bbd10d", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ], + "type": "phrases", + "value": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "edonkey" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "apple-airplay" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent-bundle" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gnutella" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "manolito" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "utorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet-pex" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "ares" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "imesh" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "directconnect" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "slsk" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 5, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 2, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 0, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "743571a7-eb16-414a-9661-6b9c463baf93" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "b9b235ec-c995-4e04-9c8d-4a1241ddcf3c", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "b9b235ec-c995-4e04-9c8d-4a1241ddcf3c", + "title": "Top P2P Destinations[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "60326333-2197-489c-b92c-c43814bb2a07", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "be43b3a9-77eb-4997-b0a3-2c7bf9642d91": { + "columnOrder": [ + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b" + ], + "columns": { + "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number o P2P sessions", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "60326333-2197-489c-b92c-c43814bb2a07", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ], + "type": "phrases", + "value": [ + "edonkey", + "bittorrent", + "apple-airplay", + "bittorrent-bundle", + "gnutella", + "manolito", + "utorrent", + "bitcomet", + "bitcomet-pex", + "ares", + "imesh", + "directconnect", + "slsk" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "edonkey" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "apple-airplay" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bittorrent-bundle" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gnutella" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "manolito" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "utorrent" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "bitcomet-pex" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "ares" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "imesh" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "directconnect" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "slsk" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "accessor": "ab03a07c-2a6e-425a-b1c5-98a2ef878a4b", + "colorMode": "Background", + "layerId": "be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#209280", + "stop": null + }, + { + "color": "#B9A888", + "stop": 1080 + }, + { + "color": "#cc5642", + "stop": 2160 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#209280", + "stop": 1080 + }, + { + "color": "#B9A888", + "stop": 2160 + }, + { + "color": "#cc5642", + "stop": 3240 + } + ] + }, + "type": "palette" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "f994304e-fef0-446b-991e-3fdad41e3d1e", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "f994304e-fef0-446b-991e-3fdad41e3d1e", + "title": "", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Unsanctioned Peer to Peer Apps", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T09:53:57.275Z", + "id": "gigamon-3523b534-7525-44a7-808f-6a9f3235a67d", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a6bb8905-1429-48f4-afe0-8abe04458570:indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a6bb8905-1429-48f4-afe0-8abe04458570:8cf2d322-d829-49e3-bc08-bbdf2bad8404", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e0bd8c6b-8b7a-44e0-b8ef-8c2814e00f57:indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e0bd8c6b-8b7a-44e0-b8ef-8c2814e00f57:deddd9f4-b68e-4e4a-bac6-030cbf077d0d", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "1ab105d2-cd65-497f-9dec-eca0022b4dab:indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "1ab105d2-cd65-497f-9dec-eca0022b4dab:e162d9f3-10d5-403a-9800-0869a637ca55", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "b9b235ec-c995-4e04-9c8d-4a1241ddcf3c:indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "b9b235ec-c995-4e04-9c8d-4a1241ddcf3c:4e115414-3b37-4d6a-a7d3-909dd2bbd10d", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "f994304e-fef0-446b-991e-3fdad41e3d1e:indexpattern-datasource-layer-be43b3a9-77eb-4997-b0a3-2c7bf9642d91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "f994304e-fef0-446b-991e-3fdad41e3d1e:60326333-2197-489c-b92c-c43814bb2a07", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc.json b/packages/gigamon/kibana/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc.json new file mode 100644 index 00000000000..aacbd540220 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc.json @@ -0,0 +1,1268 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [**Unmanaged Endpoints**](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "c2f18da3-1a36-4cd6-b080-2358a8111d90", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "c2f18da3-1a36-4cd6-b080-2358a8111d90", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-524869d1-5c3a-48d3-b70d-31c695576301", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2ac90361-4777-4349-b8e0-8d84b45a8b28", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "524869d1-5c3a-48d3-b70d-31c695576301": { + "columnOrder": [ + "36edeac3-956b-425f-8add-2995317088dc" + ], + "columns": { + "36edeac3-956b-425f-8add-2995317088dc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of unmanaged host sessions", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.app_name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "2ac90361-4777-4349-b8e0-8d84b45a8b28", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "mqtt", + "coap", + "gvcp", + "opcua", + "llp", + "dicom" + ], + "type": "phrases", + "value": [ + "mqtt", + "coap", + "gvcp", + "opcua", + "llp", + "dicom" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "mqtt" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "coap" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gvcp" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "opcua" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "llp" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "dicom" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "accessor": "36edeac3-956b-425f-8add-2995317088dc", + "colorMode": "Background", + "layerId": "524869d1-5c3a-48d3-b70d-31c695576301", + "layerType": "data", + "palette": { + "name": "gray", + "params": { + "continuity": "above", + "maxSteps": 5, + "name": "gray", + "progression": "fixed", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#b0b7c4", + "stop": 0 + }, + { + "color": "#6e7481", + "stop": 3.33 + }, + { + "color": "#343741", + "stop": 6.66 + } + ] + }, + "type": "palette" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "7a2dc5c1-f5f2-487d-a6c8-e7ddc57f7328", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "7a2dc5c1-f5f2-487d-a6c8-e7ddc57f7328", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-5ce0cd74-fa7b-48d2-80aa-9aac35104287", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "1e3c3df4-0e19-4c69-a467-d411710b5568", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5ce0cd74-fa7b-48d2-80aa-9aac35104287": { + "columnOrder": [ + "97180755-0fee-477f-8f7e-710eee6020cd", + "41aaf850-cc48-4b75-b489-9b8e5e4b23a1" + ], + "columns": { + "41aaf850-cc48-4b75-b489-9b8e5e4b23a1": { + "dataType": "number", + "isBucketed": false, + "label": "Count of gigamon.ami.app_name", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.app_name" + }, + "97180755-0fee-477f-8f7e-710eee6020cd": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.dst_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "41aaf850-cc48-4b75-b489-9b8e5e4b23a1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "1e3c3df4-0e19-4c69-a467-d411710b5568", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "mqtt", + "dicom", + "coap", + "gvcp", + "opcua", + "llp" + ], + "type": "phrases", + "value": [ + "mqtt", + "dicom", + "coap", + "gvcp", + "opcua", + "llp" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "mqtt" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "dicom" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "coap" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gvcp" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "opcua" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "llp" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 4, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "5ce0cd74-fa7b-48d2-80aa-9aac35104287", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "41aaf850-cc48-4b75-b489-9b8e5e4b23a1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "97180755-0fee-477f-8f7e-710eee6020cd" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ced39111-0d23-411f-8228-f7d3ec1d6ce8", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "ced39111-0d23-411f-8228-f7d3ec1d6ce8", + "title": "Top IoT Destinations[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-382d6efb-9dae-4d62-9a7d-2084e6592e76", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "382d6efb-9dae-4d62-9a7d-2084e6592e76": { + "columnOrder": [ + "b938f6fe-7531-4068-8b01-d72ed5bc522e", + "90eada77-c405-4610-b0f4-cfac77b165b3", + "7e1b796d-da94-4efe-b2cf-f6d23840bcbc" + ], + "columns": { + "7e1b796d-da94-4efe-b2cf-f6d23840bcbc": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "90eada77-c405-4610-b0f4-cfac77b165b3": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "b938f6fe-7531-4068-8b01-d72ed5bc522e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 25 values of gigamon.ami.app_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "mqtt", + "coap", + "gvcp", + "opcua", + "llp", + "dicom" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7e1b796d-da94-4efe-b2cf-f6d23840bcbc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "7e1b796d-da94-4efe-b2cf-f6d23840bcbc" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 0, + "paletteId": "elastic_brand_2023", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 5, + "paletteId": "elastic_brand_2023", + "touched": true, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "elastic_brand_2023", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "382d6efb-9dae-4d62-9a7d-2084e6592e76", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "splitAccessor": "b938f6fe-7531-4068-8b01-d72ed5bc522e", + "xAccessor": "90eada77-c405-4610-b0f4-cfac77b165b3" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ef25137d-2ae5-4cec-9986-46b53cf890d7", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "ef25137d-2ae5-4cec-9986-46b53cf890d7", + "title": "IOT Traffic Overview[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-00809baf-def6-44f9-8ed0-071dd5fafdde", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "22bb68a9-8f42-40f8-b4e5-11a20106f03d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "00809baf-def6-44f9-8ed0-071dd5fafdde": { + "columnOrder": [ + "5adf4c54-3f1b-40dc-858f-84b400b62cc9", + "52cb82b2-e3c6-4ada-9000-84f2a1e2d93f" + ], + "columns": { + "52cb82b2-e3c6-4ada-9000-84f2a1e2d93f": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5adf4c54-3f1b-40dc-858f-84b400b62cc9": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Client IP's", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "52cb82b2-e3c6-4ada-9000-84f2a1e2d93f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "22bb68a9-8f42-40f8-b4e5-11a20106f03d", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "mqtt", + "dicom", + "llp", + "opcua", + "gvcp", + "coap" + ], + "type": "phrases", + "value": [ + "mqtt", + "dicom", + "llp", + "opcua", + "gvcp", + "coap" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "mqtt" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "dicom" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "llp" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "opcua" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gvcp" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "coap" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "5adf4c54-3f1b-40dc-858f-84b400b62cc9", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "52cb82b2-e3c6-4ada-9000-84f2a1e2d93f", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "00809baf-def6-44f9-8ed0-071dd5fafdde", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3eb9c4d5-3560-4d3b-81f4-ba3a12995869", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "3eb9c4d5-3560-4d3b-81f4-ba3a12995869", + "title": "Top IoT Endpoints[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-512ecd89-fcfa-4cae-942d-276720984eec", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "512ecd89-fcfa-4cae-942d-276720984eec": { + "columnOrder": [ + "ce253064-2be9-479b-95e6-9cce3b0f39f9", + "f64da980-3f15-4ac6-a2bf-6ce66e130e00" + ], + "columns": { + "ce253064-2be9-479b-95e6-9cce3b0f39f9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "List of IoT Protocols", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "mqtt", + "coap", + "gvcp", + "opcua", + "llp", + "dicom" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f64da980-3f15-4ac6-a2bf-6ce66e130e00", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "f64da980-3f15-4ac6-a2bf-6ce66e130e00": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 2, + "paletteId": "neutral", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 2, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorCode": "#7e21ea", + "touched": true, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "emptySizeRatio": 0.7, + "layerId": "512ecd89-fcfa-4cae-942d-276720984eec", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "f64da980-3f15-4ac6-a2bf-6ce66e130e00" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ce253064-2be9-479b-95e6-9cce3b0f39f9" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "74bbfa9a-665c-47b6-9d44-28643901358e", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "74bbfa9a-665c-47b6-9d44-28643901358e", + "title": "Applications[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-c0e77b08-b6fd-4c45-88ed-0a361a6dff5f", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a2f2d7ad-6751-4277-bb47-475310feb936", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c0e77b08-b6fd-4c45-88ed-0a361a6dff5f": { + "columnOrder": [ + "d2366fbe-b6ed-43d1-9472-f9ffe669f8aa", + "f45a21e3-2a60-42be-ae6e-cf8c1374acf1" + ], + "columns": { + "d2366fbe-b6ed-43d1-9472-f9ffe669f8aa": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.dst_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f45a21e3-2a60-42be-ae6e-cf8c1374acf1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "f45a21e3-2a60-42be-ae6e-cf8c1374acf1": { + "dataType": "number", + "isBucketed": false, + "label": "Count of gigamon.ami.app_name", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.app_name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "a2f2d7ad-6751-4277-bb47-475310feb936", + "key": "gigamon.ami.app_name", + "negate": false, + "params": [ + "mqtt", + "dicom", + "gvcp", + "coap", + "opcua", + "llp" + ], + "type": "phrases", + "value": [ + "mqtt", + "dicom", + "gvcp", + "coap", + "opcua", + "llp" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.app_name": "mqtt" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "dicom" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "gvcp" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "coap" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "opcua" + } + }, + { + "match_phrase": { + "gigamon.ami.app_name": "llp" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 0, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c0e77b08-b6fd-4c45-88ed-0a361a6dff5f", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "f45a21e3-2a60-42be-ae6e-cf8c1374acf1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "d2366fbe-b6ed-43d1-9472-f9ffe669f8aa" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "db06369d-6d2c-42a9-adb3-2fc812e5e947", + "w": 24, + "x": 0, + "y": 51 + }, + "panelIndex": "db06369d-6d2c-42a9-adb3-2fc812e5e947", + "title": "Top IoT Sources[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Unmanaged Endpoints", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:11:57.488Z", + "id": "gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "7a2dc5c1-f5f2-487d-a6c8-e7ddc57f7328:indexpattern-datasource-layer-524869d1-5c3a-48d3-b70d-31c695576301", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "7a2dc5c1-f5f2-487d-a6c8-e7ddc57f7328:2ac90361-4777-4349-b8e0-8d84b45a8b28", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "ced39111-0d23-411f-8228-f7d3ec1d6ce8:indexpattern-datasource-layer-5ce0cd74-fa7b-48d2-80aa-9aac35104287", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "ced39111-0d23-411f-8228-f7d3ec1d6ce8:1e3c3df4-0e19-4c69-a467-d411710b5568", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "ef25137d-2ae5-4cec-9986-46b53cf890d7:indexpattern-datasource-layer-382d6efb-9dae-4d62-9a7d-2084e6592e76", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "3eb9c4d5-3560-4d3b-81f4-ba3a12995869:indexpattern-datasource-layer-00809baf-def6-44f9-8ed0-071dd5fafdde", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "3eb9c4d5-3560-4d3b-81f4-ba3a12995869:22bb68a9-8f42-40f8-b4e5-11a20106f03d", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "74bbfa9a-665c-47b6-9d44-28643901358e:indexpattern-datasource-layer-512ecd89-fcfa-4cae-942d-276720984eec", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "db06369d-6d2c-42a9-adb3-2fc812e5e947:indexpattern-datasource-layer-c0e77b08-b6fd-4c45-88ed-0a361a6dff5f", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "db06369d-6d2c-42a9-adb3-2fc812e5e947:a2f2d7ad-6751-4277-bb47-475310feb936", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac.json b/packages/gigamon/kibana/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac.json new file mode 100644 index 00000000000..7c68899f80f --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac.json @@ -0,0 +1,2050 @@ +{ + "attributes": { + "description": "SSL Cryptographic details", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [**Security Posture**](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "73e0c738-d6e9-4140-a1dc-77bf224642bd", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "73e0c738-d6e9-4140-a1dc-77bf224642bd", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Many applications compress data before it is encrypted, which, in some cases, may compromise the confidentiality of the transmitted data", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "b1134c27-f71d-4fcc-8c8e-d5a2f59259a0", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "b1134c27-f71d-4fcc-8c8e-d5a2f59259a0", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-f8370edf-a33f-4b5f-a5e0-f91226bd7ee4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f8370edf-a33f-4b5f-a5e0-f91226bd7ee4": { + "columnOrder": [ + "50373ef9-0c0b-41e6-8725-ba32cbefb3a7", + "ad83ad45-30c7-415a-9792-3ce72354c53d" + ], + "columns": { + "50373ef9-0c0b-41e6-8725-ba32cbefb3a7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Compression encoding", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ad83ad45-30c7-415a-9792-3ce72354c53d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_content_encoding" + }, + "ad83ad45-30c7-415a-9792-3ce72354c53d": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "ad83ad45-30c7-415a-9792-3ce72354c53d" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f8370edf-a33f-4b5f-a5e0-f91226bd7ee4", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "50373ef9-0c0b-41e6-8725-ba32cbefb3a7", + "yConfig": [ + { + "color": "#bc2a91", + "forAccessor": "ad83ad45-30c7-415a-9792-3ce72354c53d" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2ec46ecc-8727-4ada-a9cc-791128084fc7", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "2ec46ecc-8727-4ada-a9cc-791128084fc7", + "title": "Compression Algorithms detected[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-1a855e99-fd47-4ba6-a92a-56f7fbc4955f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "1a855e99-fd47-4ba6-a92a-56f7fbc4955f": { + "columnOrder": [ + "ac8318a5-c0ef-4e03-ad32-a2789b00f432", + "85125864-cfd2-40d4-a2af-e545dbce14af" + ], + "columns": { + "85125864-cfd2-40d4-a2af-e545dbce14af": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ac8318a5-c0ef-4e03-ad32-a2789b00f432": { + "dataType": "string", + "isBucketed": true, + "label": "Top 25 values of gigamon.ami.ssl_cipher_suite_id_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "85125864-cfd2-40d4-a2af-e545dbce14af", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_cipher_suite_id_value" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.ssl_cipher_suite_id", + "index": "c6d81efe-bb04-40e1-ba15-3007b73260f6", + "key": "gigamon.ami.ssl_cipher_suite_id", + "negate": false, + "params": [ + "47", + "50", + "51", + "52", + "53", + "56", + "57", + "58", + "65", + "68", + "69", + "70", + "108", + "109", + "132", + "135", + "136", + "137", + "138", + "139", + "140", + "141", + "150", + "153", + "154", + "155", + "166", + "167", + "49153", + "49154", + "49155", + "49156", + "49157", + "49158", + "49159", + "49160", + "49161", + "49162", + "49163", + "49164", + "49165", + "49166", + "49167", + "49168", + "49169", + "49170", + "49171", + "49172", + "49173", + "49174", + "49175", + "49176", + "49177", + "49178", + "49179", + "49180", + "49181", + "49182", + "49183", + "49184", + "49185", + "49186" + ], + "type": "phrases", + "value": [ + "47", + "50", + "51", + "52", + "53", + "56", + "57", + "58", + "65", + "68", + "69", + "70", + "108", + "109", + "132", + "135", + "136", + "137", + "138", + "139", + "140", + "141", + "150", + "153", + "154", + "155", + "166", + "167", + "49153", + "49154", + "49155", + "49156", + "49157", + "49158", + "49159", + "49160", + "49161", + "49162", + "49163", + "49164", + "49165", + "49166", + "49167", + "49168", + "49169", + "49170", + "49171", + "49172", + "49173", + "49174", + "49175", + "49176", + "49177", + "49178", + "49179", + "49180", + "49181", + "49182", + "49183", + "49184", + "49185", + "49186" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "47" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "50" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "51" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "52" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "53" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "56" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "57" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "58" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "65" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "68" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "69" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "70" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "108" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "109" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "132" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "135" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "136" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "137" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "138" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "139" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "140" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "141" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "150" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "153" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "154" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "155" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "166" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "167" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49153" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49154" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49155" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49156" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49157" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49158" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49159" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49160" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49161" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49162" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49163" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49164" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49165" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49166" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49167" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49168" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49169" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49170" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49171" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49172" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49173" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49174" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49175" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49176" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49177" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49178" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49179" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49180" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49181" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49182" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49183" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49184" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49185" + } + }, + { + "match_phrase": { + "gigamon.ami.ssl_cipher_suite_id": "49186" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" \n\n" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 6, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorCode": "#cc4370", + "touched": true, + "type": "colorCode" + }, + { + "colorCode": "#114575", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "1a855e99-fd47-4ba6-a92a-56f7fbc4955f", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "85125864-cfd2-40d4-a2af-e545dbce14af" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ac8318a5-c0ef-4e03-ad32-a2789b00f432" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "Old or weak cryptographic algorithms or protocols used", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "7ee54803-53b7-4030-ac5a-4e6bb7f8d488", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "7ee54803-53b7-4030-ac5a-4e6bb7f8d488", + "title": "Weak Ciphers[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Lookout for deprecated Hash functions such as MD5 and SHA1\n", + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-a59e668a-9b41-4e4f-a213-d849adcc37e1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a59e668a-9b41-4e4f-a213-d849adcc37e1": { + "columnOrder": [ + "7ba20cfc-9fef-45de-b70d-91a2ca6a8d3f", + "f509fb07-2441-4564-b0cc-fce14484d9a0" + ], + "columns": { + "7ba20cfc-9fef-45de-b70d-91a2ca6a8d3f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.ssl_ext_sig_algorithm_hash_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f509fb07-2441-4564-b0cc-fce14484d9a0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_ext_sig_algorithm_hash_value" + }, + "f509fb07-2441-4564-b0cc-fce14484d9a0": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" \n\n" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "elastic_brand_2023", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "a59e668a-9b41-4e4f-a213-d849adcc37e1", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "f509fb07-2441-4564-b0cc-fce14484d9a0" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "7ba20cfc-9fef-45de-b70d-91a2ca6a8d3f" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "Lookout for deprecated Hash functions such as MD5 and SHA1\n", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4ecbea12-8c6b-4628-af7e-561eb34a8580", + "w": 24, + "x": 24, + "y": 20 + }, + "panelIndex": "4ecbea12-8c6b-4628-af7e-561eb34a8580", + "title": "Cryptographic Hash[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Older versions like SSLv2, SSLv3 or TLS1.0 should not be used", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "11490e4c-03df-44dd-949e-035696609710", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "11490e4c-03df-44dd-949e-035696609710", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-ca329fec-55d4-4114-8e6c-66fac6103bd6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ca329fec-55d4-4114-8e6c-66fac6103bd6": { + "columnOrder": [ + "29560e3d-2c6a-4082-b3fe-6d04dce0a004", + "7a76c915-13af-4f43-8836-bf33034dc66b" + ], + "columns": { + "29560e3d-2c6a-4082-b3fe-6d04dce0a004": { + "dataType": "string", + "isBucketed": true, + "label": "Top 20 values of gigamon.ami.ssl_ext_sig_algorithm_scheme_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7a76c915-13af-4f43-8836-bf33034dc66b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_ext_sig_algorithm_scheme_value" + }, + "7a76c915-13af-4f43-8836-bf33034dc66b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "7a76c915-13af-4f43-8836-bf33034dc66b" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "ca329fec-55d4-4114-8e6c-66fac6103bd6", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "29560e3d-2c6a-4082-b3fe-6d04dce0a004", + "yConfig": [ + { + "color": "#5ba8ee", + "forAccessor": "7a76c915-13af-4f43-8836-bf33034dc66b" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Signature scheme, aka hash, signature", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4edbfb96-b1de-4a66-804b-e0dda725f53c", + "w": 24, + "x": 24, + "y": 35 + }, + "panelIndex": "4edbfb96-b1de-4a66-804b-e0dda725f53c", + "title": "Signature_Algorithm[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-1a6b0337-abdf-4190-a6f0-01eb8bf27602", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1a6b0337-abdf-4190-a6f0-01eb8bf27602": { + "columnOrder": [ + "12782a08-fba7-483a-9a2e-52db88c4a84f", + "29a9eedb-41b8-434b-ac4c-390c9129c2e3" + ], + "columns": { + "12782a08-fba7-483a-9a2e-52db88c4a84f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 25 values of gigamon.ami.ssl_protocol_version_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "29a9eedb-41b8-434b-ac4c-390c9129c2e3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_protocol_version_value" + }, + "29a9eedb-41b8-434b-ac4c-390c9129c2e3": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 5, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "1a6b0337-abdf-4190-a6f0-01eb8bf27602", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "29a9eedb-41b8-434b-ac4c-390c9129c2e3" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "12782a08-fba7-483a-9a2e-52db88c4a84f" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d930ab89-a6d5-48ef-b925-e994aebe8793", + "w": 24, + "x": 0, + "y": 40 + }, + "panelIndex": "d930ab89-a6d5-48ef-b925-e994aebe8793", + "title": "TLS Versions seen in the network[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Key exchange protocols that provide forward secrecy do not include RSA.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 3, + "i": "01332205-332f-487f-9799-261334bddd4c", + "w": 24, + "x": 24, + "y": 50 + }, + "panelIndex": "01332205-332f-487f-9799-261334bddd4c", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-7bc2981e-b536-4695-978a-4204ad71b136", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7bc2981e-b536-4695-978a-4204ad71b136": { + "columnOrder": [ + "d5caa97d-0c74-4213-b25c-66b71b8d5e6a", + "3f7bb19f-c905-4fc0-aa93-a6ecf2ccabe7" + ], + "columns": { + "3f7bb19f-c905-4fc0-aa93-a6ecf2ccabe7": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d5caa97d-0c74-4213-b25c-66b71b8d5e6a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.ssl_ext_sig_algorithm_sig", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3f7bb19f-c905-4fc0-aa93-a6ecf2ccabe7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_ext_sig_algorithm_sig" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "3f7bb19f-c905-4fc0-aa93-a6ecf2ccabe7" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7bc2981e-b536-4695-978a-4204ad71b136", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "d5caa97d-0c74-4213-b25c-66b71b8d5e6a", + "yConfig": [ + { + "color": "#be9b58", + "forAccessor": "3f7bb19f-c905-4fc0-aa93-a6ecf2ccabe7" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "0eddb6e3-01cd-41be-b179-786c9156d810", + "w": 24, + "x": 24, + "y": 53 + }, + "panelIndex": "0eddb6e3-01cd-41be-b179-786c9156d810", + "title": "Key Exchange Protocols seen on the network[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Applications, Servers and Clients using deprecated and risky SSL versions", + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-52ebe360-98df-4c55-9c3a-5b30179d97fe", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "52ebe360-98df-4c55-9c3a-5b30179d97fe": { + "columnOrder": [ + "8f21f20f-d0e7-42dd-a869-66af17ac0f8f", + "dd23e590-6f2f-4e30-9730-2463da3fcf32", + "f6f1b00a-7165-4ec5-b625-5dd63c0dd43a", + "79d382b6-cb8b-4cee-a738-3c441ce66510", + "e501a40d-b125-4701-abbe-d3e7273be600" + ], + "columns": { + "79d382b6-cb8b-4cee-a738-3c441ce66510": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "SSL Versions", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "SSL_2_0", + "SSL_3_0", + "TLS_1_0" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e501a40d-b125-4701-abbe-d3e7273be600", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_protocol_version_value" + }, + "8f21f20f-d0e7-42dd-a869-66af17ac0f8f": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e501a40d-b125-4701-abbe-d3e7273be600", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "dd23e590-6f2f-4e30-9730-2463da3fcf32": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e501a40d-b125-4701-abbe-d3e7273be600", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "e501a40d-b125-4701-abbe-d3e7273be600": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f6f1b00a-7165-4ec5-b625-5dd63c0dd43a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e501a40d-b125-4701-abbe-d3e7273be600", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "8f21f20f-d0e7-42dd-a869-66af17ac0f8f", + "isTransposed": false + }, + { + "columnId": "dd23e590-6f2f-4e30-9730-2463da3fcf32", + "isTransposed": false + }, + { + "columnId": "f6f1b00a-7165-4ec5-b625-5dd63c0dd43a", + "isTransposed": false + }, + { + "columnId": "79d382b6-cb8b-4cee-a738-3c441ce66510", + "isTransposed": false + }, + { + "columnId": "e501a40d-b125-4701-abbe-d3e7273be600", + "hidden": true, + "isTransposed": false + } + ], + "layerId": "52ebe360-98df-4c55-9c3a-5b30179d97fe", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Applications, Servers and Clients using deprecated and risky SSL versions", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e2b390fc-73ff-471d-91cb-0529402a4647", + "w": 24, + "x": 0, + "y": 55 + }, + "panelIndex": "e2b390fc-73ff-471d-91cb-0529402a4647", + "title": "Sessions using Old SSL Versions[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Security Vulnerabilities like BREACH, VORACLE and CRIME take advantage of compression", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "ebde7fdc-9392-4ee3-b27b-f9494e3c8a3f", + "w": 24, + "x": 0, + "y": 70 + }, + "panelIndex": "ebde7fdc-9392-4ee3-b27b-f9494e3c8a3f", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-b5a30015-ed6f-4639-9440-8d481157749c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b5a30015-ed6f-4639-9440-8d481157749c": { + "columnOrder": [ + "8a83e195-a5a7-45c0-b8b6-65bb2d68725e", + "120c372b-0765-4731-94f0-39cd09e46658", + "458c03a2-c733-4e53-8fbc-f71ae0a7c7bc", + "37177b31-b1bf-4fae-9f90-0eee523e9d79", + "8a95d45c-8af8-44e1-a565-a2c19a10c0cb" + ], + "columns": { + "120c372b-0765-4731-94f0-39cd09e46658": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8a95d45c-8af8-44e1-a565-a2c19a10c0cb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "37177b31-b1bf-4fae-9f90-0eee523e9d79": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Compression Scheme", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8a95d45c-8af8-44e1-a565-a2c19a10c0cb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 23 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_content_encoding" + }, + "458c03a2-c733-4e53-8fbc-f71ae0a7c7bc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8a95d45c-8af8-44e1-a565-a2c19a10c0cb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "8a83e195-a5a7-45c0-b8b6-65bb2d68725e": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8a95d45c-8af8-44e1-a565-a2c19a10c0cb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "8a95d45c-8af8-44e1-a565-a2c19a10c0cb": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "8a83e195-a5a7-45c0-b8b6-65bb2d68725e", + "isTransposed": false + }, + { + "columnId": "120c372b-0765-4731-94f0-39cd09e46658", + "isTransposed": false + }, + { + "columnId": "458c03a2-c733-4e53-8fbc-f71ae0a7c7bc", + "isTransposed": false + }, + { + "columnId": "8a95d45c-8af8-44e1-a565-a2c19a10c0cb", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "37177b31-b1bf-4fae-9f90-0eee523e9d79", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "b5a30015-ed6f-4639-9440-8d481157749c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "20b67d27-53bd-4df5-8e4e-553d170b9f3d", + "w": 24, + "x": 0, + "y": 74 + }, + "panelIndex": "20b67d27-53bd-4df5-8e4e-553d170b9f3d", + "title": "Sessions using compression algorithms[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Security Posture", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:04:42.549Z", + "id": "gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2ec46ecc-8727-4ada-a9cc-791128084fc7:indexpattern-datasource-layer-f8370edf-a33f-4b5f-a5e0-f91226bd7ee4", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "7ee54803-53b7-4030-ac5a-4e6bb7f8d488:indexpattern-datasource-layer-1a855e99-fd47-4ba6-a92a-56f7fbc4955f", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "4ecbea12-8c6b-4628-af7e-561eb34a8580:indexpattern-datasource-layer-a59e668a-9b41-4e4f-a213-d849adcc37e1", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "4edbfb96-b1de-4a66-804b-e0dda725f53c:indexpattern-datasource-layer-ca329fec-55d4-4114-8e6c-66fac6103bd6", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "d930ab89-a6d5-48ef-b925-e994aebe8793:indexpattern-datasource-layer-1a6b0337-abdf-4190-a6f0-01eb8bf27602", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "0eddb6e3-01cd-41be-b179-786c9156d810:indexpattern-datasource-layer-7bc2981e-b536-4695-978a-4204ad71b136", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e2b390fc-73ff-471d-91cb-0529402a4647:indexpattern-datasource-layer-52ebe360-98df-4c55-9c3a-5b30179d97fe", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "20b67d27-53bd-4df5-8e4e-553d170b9f3d:indexpattern-datasource-layer-b5a30015-ed6f-4639-9440-8d481157749c", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b.json b/packages/gigamon/kibana/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b.json new file mode 100644 index 00000000000..fd44f843d94 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b.json @@ -0,0 +1,765 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [**Suspicious Connections**](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "805ea0bb-bc47-47b6-b5b9-7ae459e912da", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "805ea0bb-bc47-47b6-b5b9-7ae459e912da", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-4e7a5be6-e8e2-4181-8c8e-3464b9cbb8f3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "4e7a5be6-e8e2-4181-8c8e-3464b9cbb8f3": { + "columnOrder": [ + "30604579-d923-43a5-a3ff-904b1a241829", + "8e662664-420d-4311-a745-9b36217280aa" + ], + "columns": { + "30604579-d923-43a5-a3ff-904b1a241829": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "ssh", + "rdp", + "telnet", + "smb", + "ftp", + "dropbox", + "nfs", + "tftp" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8e662664-420d-4311-a745-9b36217280aa", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "8e662664-420d-4311-a745-9b36217280aa": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "30604579-d923-43a5-a3ff-904b1a241829", + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "8e662664-420d-4311-a745-9b36217280aa", + "isTransposed": false + } + ], + "layerId": "4e7a5be6-e8e2-4181-8c8e-3464b9cbb8f3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 21, + "i": "691cc634-beea-4461-abf3-7798f2fd7f53", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "691cc634-beea-4461-abf3-7798f2fd7f53", + "title": "Top Suspicious Sessions[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-0e790f53-fc9a-4723-b826-345927fe0ac2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0e790f53-fc9a-4723-b826-345927fe0ac2": { + "columnOrder": [ + "3c258391-639c-45f5-88b0-535c27c90a74", + "83f2728c-6c7c-421c-b465-c17b318461a4", + "e2059abe-85e3-4ce9-8b88-25537c73aa1b", + "8b873cfd-7844-48e8-8315-eee47440a6f8", + "a5d1995e-af7d-4665-807b-88874981159d", + "19d6c43b-fb62-4826-9b33-54b8f6516c4b" + ], + "columns": { + "19d6c43b-fb62-4826-9b33-54b8f6516c4b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3c258391-639c-45f5-88b0-535c27c90a74": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "19d6c43b-fb62-4826-9b33-54b8f6516c4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "83f2728c-6c7c-421c-b465-c17b318461a4": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "19d6c43b-fb62-4826-9b33-54b8f6516c4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "8b873cfd-7844-48e8-8315-eee47440a6f8": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Source port", + "operationType": "terms", + "params": { + "exclude": [ + 22, + 53, + 23 + ], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "19d6c43b-fb62-4826-9b33-54b8f6516c4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_port" + }, + "a5d1995e-af7d-4665-807b-88874981159d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "ssh", + "dns", + "telnet" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "19d6c43b-fb62-4826-9b33-54b8f6516c4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "e2059abe-85e3-4ce9-8b88-25537c73aa1b": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination Port", + "operationType": "terms", + "params": { + "exclude": [ + 22, + 23, + 53 + ], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "19d6c43b-fb62-4826-9b33-54b8f6516c4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_port" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "a5d1995e-af7d-4665-807b-88874981159d", + "hidden": false, + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "19d6c43b-fb62-4826-9b33-54b8f6516c4b", + "hidden": true, + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "e2059abe-85e3-4ce9-8b88-25537c73aa1b", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "8b873cfd-7844-48e8-8315-eee47440a6f8", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "3c258391-639c-45f5-88b0-535c27c90a74", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "83f2728c-6c7c-421c-b465-c17b318461a4", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "0e790f53-fc9a-4723-b826-345927fe0ac2", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 14, + "i": "9e15b7fa-c6fa-407f-8164-0003a5211964", + "w": 48, + "x": 0, + "y": 21 + }, + "panelIndex": "9e15b7fa-c6fa-407f-8164-0003a5211964", + "title": "Port Spoofing Activity[Gigamon AMI[", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-dcb2c44f-fa1b-49dc-a8fd-95735065a2ca", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dcb2c44f-fa1b-49dc-a8fd-95735065a2ca": { + "columnOrder": [ + "04ab43d3-226e-4e2f-a150-89154d731c2f", + "66d0aa7a-1b6b-47d7-a40e-4b170dd43ea8", + "6ba6603b-8f9d-4cfb-8636-2e53618f3daa", + "14a6d76d-c7e4-4c33-a9bd-fab9af70f900", + "c3c3d87c-8824-4083-822d-d8494a8be695", + "19b54851-b502-47ff-b4ba-c7402312e15e", + "90047821-2703-4511-aa1e-089ff98c98e9", + "02673980-99b6-46f4-ae55-5bc04d511672" + ], + "columns": { + "02673980-99b6-46f4-ae55-5bc04d511672": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "04ab43d3-226e-4e2f-a150-89154d731c2f": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "14a6d76d-c7e4-4c33-a9bd-fab9af70f900": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Source port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02673980-99b6-46f4-ae55-5bc04d511672", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_port" + }, + "19b54851-b502-47ff-b4ba-c7402312e15e": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Received Bytes", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02673980-99b6-46f4-ae55-5bc04d511672", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_bytes" + }, + "66d0aa7a-1b6b-47d7-a40e-4b170dd43ea8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "ftp", + "smb", + "dropbox", + "tftp", + "ssh", + "rdp", + "telnet", + "nfs" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02673980-99b6-46f4-ae55-5bc04d511672", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "6ba6603b-8f9d-4cfb-8636-2e53618f3daa": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02673980-99b6-46f4-ae55-5bc04d511672", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "90047821-2703-4511-aa1e-089ff98c98e9": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination Port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02673980-99b6-46f4-ae55-5bc04d511672", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_port" + }, + "c3c3d87c-8824-4083-822d-d8494a8be695": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Transmitted bytes", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02673980-99b6-46f4-ae55-5bc04d511672", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "66d0aa7a-1b6b-47d7-a40e-4b170dd43ea8", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "02673980-99b6-46f4-ae55-5bc04d511672", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "6ba6603b-8f9d-4cfb-8636-2e53618f3daa", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "14a6d76d-c7e4-4c33-a9bd-fab9af70f900", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "04ab43d3-226e-4e2f-a150-89154d731c2f", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "c3c3d87c-8824-4083-822d-d8494a8be695", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "19b54851-b502-47ff-b4ba-c7402312e15e", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "90047821-2703-4511-aa1e-089ff98c98e9", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "dcb2c44f-fa1b-49dc-a8fd-95735065a2ca", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "466a4ef7-11b5-42b8-9499-34509fff70f6", + "w": 48, + "x": 0, + "y": 35 + }, + "panelIndex": "466a4ef7-11b5-42b8-9499-34509fff70f6", + "title": "List of Suspicious Remote Sessions[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Suspicious Connections", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:11:25.231Z", + "id": "gigamon-62291e9e-8b75-4f23-9121-79959da99b3b", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "691cc634-beea-4461-abf3-7798f2fd7f53:indexpattern-datasource-layer-4e7a5be6-e8e2-4181-8c8e-3464b9cbb8f3", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9e15b7fa-c6fa-407f-8164-0003a5211964:indexpattern-datasource-layer-0e790f53-fc9a-4723-b826-345927fe0ac2", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "466a4ef7-11b5-42b8-9499-34509fff70f6:indexpattern-datasource-layer-dcb2c44f-fa1b-49dc-a8fd-95735065a2ca", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6.json b/packages/gigamon/kibana/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6.json new file mode 100644 index 00000000000..13c56e79ee7 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6.json @@ -0,0 +1,484 @@ +{ + "attributes": { + "description": "Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [**Homoglyph Detection**](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 20, + "i": "49b436e4-ffd2-45d3-934f-2ca7a793dc64", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "49b436e4-ffd2-45d3-934f-2ca7a793dc64", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "URL strings which look like inputted trusted domains, but are composed of different characters - by default uses Alexa Top 10 websites", + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-6a4b4b49-d74b-4032-8c98-aa7a2050ead3", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2f79ee85-3ccc-4e3b-a3cd-54801483e084", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6a4b4b49-d74b-4032-8c98-aa7a2050ead3": { + "columnOrder": [ + "51c88eae-3453-4280-ba44-613a771083b2", + "79795325-098b-4f82-bca9-1ff840c93600" + ], + "columns": { + "51c88eae-3453-4280-ba44-613a771083b2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain Name", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [ + ".*(amazon|google|facebook|youtube|twitter|instagram|baidu|wikipedia|yahoo|reddit)\\.com.*" + ], + "includeIsRegex": true, + "missingBucket": false, + "orderBy": { + "columnId": "79795325-098b-4f82-bca9-1ff840c93600", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_name" + }, + "79795325-098b-4f82-bca9-1ff840c93600": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "No. of occurences", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "google.com\", \"youtube.com\", \"facebook.com\", \"baidu.com\", \"wikipedia.com\", \"qq.com\", \"taobao.com\", \"tmail.com\", \"yahoo.com\", \"amazon.com\"", + "disabled": false, + "field": "gigamon.ami.dns_name", + "index": "2f79ee85-3ccc-4e3b-a3cd-54801483e084", + "key": "gigamon.ami.dns_name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "gigamon.ami.dns_name" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#dc741e", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#197855", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#5d0d40", + "touched": true, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "6a4b4b49-d74b-4032-8c98-aa7a2050ead3", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "79795325-098b-4f82-bca9-1ff840c93600" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "51c88eae-3453-4280-ba44-613a771083b2" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "Breakdown of top domains having homoglyph detections", + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "9a6bd170-6a5e-4da1-be11-91bf825056db", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "9a6bd170-6a5e-4da1-be11-91bf825056db", + "title": "Top Domains[GigamonAMI] ", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "URL strings which look like inputted trusted domains, but are composed of different characters.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "0841a17a-ea4c-4923-b6ca-9ce4aa904336", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "0841a17a-ea4c-4923-b6ca-9ce4aa904336", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-6a4b4b49-d74b-4032-8c98-aa7a2050ead3", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "b2d2a2d8-715d-49ea-b486-2046c4083804", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6a4b4b49-d74b-4032-8c98-aa7a2050ead3": { + "columnOrder": [ + "51c88eae-3453-4280-ba44-613a771083b2", + "6e865472-1f67-4dda-ad2f-de01e44311c3", + "79795325-098b-4f82-bca9-1ff840c93600" + ], + "columns": { + "51c88eae-3453-4280-ba44-613a771083b2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain Name", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [ + ".*(amazon|google|facebook|youtube|twitter|instagram|baidu|wikipedia|yahoo|reddit)\\.com.*" + ], + "includeIsRegex": true, + "missingBucket": false, + "orderBy": { + "columnId": "79795325-098b-4f82-bca9-1ff840c93600", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_name" + }, + "6e865472-1f67-4dda-ad2f-de01e44311c3": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Src ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "79795325-098b-4f82-bca9-1ff840c93600", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 24 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "79795325-098b-4f82-bca9-1ff840c93600": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "No. of occurences", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "google.com\", \"youtube.com\", \"facebook.com\", \"baidu.com\", \"wikipedia.com\", \"qq.com\", \"taobao.com\", \"tmail.com\", \"yahoo.com\", \"amazon.com\"", + "disabled": false, + "field": "gigamon.ami.dns_name", + "index": "b2d2a2d8-715d-49ea-b486-2046c4083804", + "key": "gigamon.ami.dns_name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "gigamon.ami.dns_name" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "51c88eae-3453-4280-ba44-613a771083b2" + }, + { + "columnId": "79795325-098b-4f82-bca9-1ff840c93600" + }, + { + "columnId": "6e865472-1f67-4dda-ad2f-de01e44311c3", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "6a4b4b49-d74b-4032-8c98-aa7a2050ead3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "", + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "3807bd4e-36c5-4458-92fb-10b007af3a45", + "w": 48, + "x": 0, + "y": 24 + }, + "panelIndex": "3807bd4e-36c5-4458-92fb-10b007af3a45", + "title": "Domain Comparison[GigamonAMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Homoglyph Detection", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:07:01.487Z", + "id": "gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9a6bd170-6a5e-4da1-be11-91bf825056db:indexpattern-datasource-layer-6a4b4b49-d74b-4032-8c98-aa7a2050ead3", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9a6bd170-6a5e-4da1-be11-91bf825056db:2f79ee85-3ccc-4e3b-a3cd-54801483e084", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "3807bd4e-36c5-4458-92fb-10b007af3a45:indexpattern-datasource-layer-6a4b4b49-d74b-4032-8c98-aa7a2050ead3", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "3807bd4e-36c5-4458-92fb-10b007af3a45:b2d2a2d8-715d-49ea-b486-2046c4083804", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e.json b/packages/gigamon/kibana/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e.json new file mode 100644 index 00000000000..da475f4fc02 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e.json @@ -0,0 +1,1483 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [**App Insights**](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "6b75164e-2b30-43ee-a8db-f95a6c5b7a6c", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "6b75164e-2b30-43ee-a8db-f95a6c5b7a6c", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-2f770a63-b087-4627-9eac-4ec02a6860a2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "2f770a63-b087-4627-9eac-4ec02a6860a2": { + "columnOrder": [ + "62d6b474-61fc-4349-9b15-33128c7696bf", + "c80909dc-a315-4156-85c5-267a882d0011" + ], + "columns": { + "62d6b474-61fc-4349-9b15-33128c7696bf": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 50 Applications", + "operationType": "terms", + "params": { + "exclude": [ + "Classification-unknown" + ], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c80909dc-a315-4156-85c5-267a882d0011", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 50 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "c80909dc-a315-4156-85c5-267a882d0011": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#3ad93a", + "touched": true, + "type": "colorCode" + }, + { + "colorCode": "#e677b1", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#22abda", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2f770a63-b087-4627-9eac-4ec02a6860a2", + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "showLabel": true, + "tagAccessor": "62d6b474-61fc-4349-9b15-33128c7696bf", + "valueAccessor": "c80909dc-a315-4156-85c5-267a882d0011" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsTagcloud" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "82d13ba0-b304-4852-afd1-6963f658852a", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "82d13ba0-b304-4852-afd1-6963f658852a", + "title": "App Overview[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Expired TLS Certificate Details", + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-f2bfa25e-3307-4990-9396-2a83c047bd87", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "c8822484-f6d7-438a-8d37-aea5210af207", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f2bfa25e-3307-4990-9396-2a83c047bd87": { + "columnOrder": [ + "00b64c0f-6ad7-49b0-97ad-620e892b52a0", + "fb36c053-2418-4fd4-b0c5-4d4f7149401f", + "9918b794-dee6-4d48-8cfa-985156eb6c71", + "35dbd18d-724e-4a71-a3d2-e3b95b391397", + "b4ff9561-a4c4-472b-94dd-bb19be1790df", + "088613fe-caa6-4a7a-a71d-041f58eeaca7" + ], + "columns": { + "00b64c0f-6ad7-49b0-97ad-620e892b52a0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Server ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b4ff9561-a4c4-472b-94dd-bb19be1790df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "088613fe-caa6-4a7a-a71d-041f58eeaca7": { + "customLabel": true, + "dataType": "date", + "isBucketed": false, + "label": "Expiration Details", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.ssl_validity_not_after" + }, + "35dbd18d-724e-4a71-a3d2-e3b95b391397": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Issuer", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b4ff9561-a4c4-472b-94dd-bb19be1790df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_issuer" + }, + "9918b794-dee6-4d48-8cfa-985156eb6c71": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Common_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b4ff9561-a4c4-472b-94dd-bb19be1790df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_common_name" + }, + "b4ff9561-a4c4-472b-94dd-bb19be1790df": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "fb36c053-2418-4fd4-b0c5-4d4f7149401f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b4ff9561-a4c4-472b-94dd-bb19be1790df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.ssl_validity_not_after", + "index": "c8822484-f6d7-438a-8d37-aea5210af207", + "key": "gigamon.ami.ssl_validity_not_after", + "negate": false, + "params": { + "lt": "2024-01-01T00:00:00.000+05:30" + }, + "type": "range", + "value": { + "lt": "2024-01-01T00:00:00.000+05:30" + } + }, + "query": { + "range": { + "gigamon.ami.ssl_validity_not_after": { + "lt": "2024-01-01T00:00:00.000+05:30" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" and gigamon.ami.ssl_validity_not_after : * " + }, + "visualization": { + "columns": [ + { + "columnId": "9918b794-dee6-4d48-8cfa-985156eb6c71", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "35dbd18d-724e-4a71-a3d2-e3b95b391397", + "isTransposed": false + }, + { + "columnId": "00b64c0f-6ad7-49b0-97ad-620e892b52a0", + "isTransposed": false + }, + { + "columnId": "fb36c053-2418-4fd4-b0c5-4d4f7149401f", + "isTransposed": false + }, + { + "columnId": "b4ff9561-a4c4-472b-94dd-bb19be1790df", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "088613fe-caa6-4a7a-a71d-041f58eeaca7", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "f2bfa25e-3307-4990-9396-2a83c047bd87", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Expired TLS Certificate Details", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f8298c20-12fa-44e3-a9ab-139a3d78d841", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "f8298c20-12fa-44e3-a9ab-139a3d78d841", + "title": "Expired TLS Certificate Details[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Versions that are deprecated: SSL 1.0, SSL 1.1, SSL 3.0, TLS 1.0, TLS 1.1", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 3, + "i": "58d2d585-6174-47c9-bd03-6a6d6f98712f", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "58d2d585-6174-47c9-bd03-6a6d6f98712f", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-5276360b-3935-40fb-81fc-d50d8f9ea03f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "5276360b-3935-40fb-81fc-d50d8f9ea03f": { + "columnOrder": [ + "dc401df1-9aff-4c54-959c-5c01f64223f8", + "7c64cedb-bff6-440d-8c92-ca2b6dd4d548" + ], + "columns": { + "7c64cedb-bff6-440d-8c92-ca2b6dd4d548": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "dc401df1-9aff-4c54-959c-5c01f64223f8": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of gigamon.ami.ssl_protocol_version_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c64cedb-bff6-440d-8c92-ca2b6dd4d548", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_protocol_version_value" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "7c64cedb-bff6-440d-8c92-ca2b6dd4d548" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "5276360b-3935-40fb-81fc-d50d8f9ea03f", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "dc401df1-9aff-4c54-959c-5c01f64223f8", + "yConfig": [ + { + "axisMode": "auto", + "color": "#c193f8", + "forAccessor": "7c64cedb-bff6-440d-8c92-ca2b6dd4d548" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 24, + "i": "9abb6f37-8bf4-4ab6-b5d6-536dc987436d", + "w": 24, + "x": 0, + "y": 24 + }, + "panelIndex": "9abb6f37-8bf4-4ab6-b5d6-536dc987436d", + "title": "TLS info[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-66c4f953-6f64-4e94-866f-ea62083a4fc5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "66c4f953-6f64-4e94-866f-ea62083a4fc5": { + "columnOrder": [ + "830dc1e4-efaa-4b02-a9e5-71ecf70fcd91", + "920ed35e-df85-4640-9a08-fb755078ffc0" + ], + "columns": { + "830dc1e4-efaa-4b02-a9e5-71ecf70fcd91": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top DNS Queries", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "920ed35e-df85-4640-9a08-fb755078ffc0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_query" + }, + "920ed35e-df85-4640-9a08-fb755078ffc0": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#f47cbc", + "touched": true, + "type": "colorCode" + }, + { + "colorIndex": 3, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 5, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "66c4f953-6f64-4e94-866f-ea62083a4fc5", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "920ed35e-df85-4640-9a08-fb755078ffc0" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "830dc1e4-efaa-4b02-a9e5-71ecf70fcd91" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "98f58056-281d-48fe-a045-9fc5975472d8", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "98f58056-281d-48fe-a045-9fc5975472d8", + "title": "Top DNS Queries[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-ecbac86b-4380-404f-8228-0eebf7bdfc91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e129a477-9070-430e-a87c-8699b92ac3ce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ecbac86b-4380-404f-8228-0eebf7bdfc91": { + "columnOrder": [ + "bca7b9cc-0dc8-4f55-a3b2-9f54b74b3769", + "c74da66c-1554-4afa-aa45-a42c11d00043" + ], + "columns": { + "bca7b9cc-0dc8-4f55-a3b2-9f54b74b3769": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Server ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c74da66c-1554-4afa-aa45-a42c11d00043", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "c74da66c-1554-4afa-aa45-a42c11d00043": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e129a477-9070-430e-a87c-8699b92ac3ce", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "key": "gigamon.ami.app_name", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "gigamon.ami.app_name": "dns" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.dst_port", + "index": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "key": "gigamon.ami.dst_port", + "negate": false, + "params": { + "query": "53" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "gigamon.ami.dst_port": "53" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "bca7b9cc-0dc8-4f55-a3b2-9f54b74b3769", + "isTransposed": false + }, + { + "columnId": "c74da66c-1554-4afa-aa45-a42c11d00043", + "isTransposed": false + } + ], + "layerId": "ecbac86b-4380-404f-8228-0eebf7bdfc91", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a8ab6b8e-65a7-4b15-9d88-4fe84a04e66a", + "w": 24, + "x": 0, + "y": 48 + }, + "panelIndex": "a8ab6b8e-65a7-4b15-9d88-4fe84a04e66a", + "title": "DNS Rogue Servers[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-fb531e58-0b95-4e83-b783-bf2806d409a5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "fb531e58-0b95-4e83-b783-bf2806d409a5": { + "columnOrder": [ + "6afa5e9f-20a3-414c-9075-9c1c10ed4246", + "3ed41f7f-3041-4fab-ab2b-9ee94ef57dd3" + ], + "columns": { + "3ed41f7f-3041-4fab-ab2b-9ee94ef57dd3": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "6afa5e9f-20a3-414c-9075-9c1c10ed4246": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "http_code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3ed41f7f-3041-4fab-ab2b-9ee94ef57dd3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 20 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_code" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" and gigamon.ami.http_code \u003e= \"400\" and gigamon.ami.http_code\u003c \"500\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "3ed41f7f-3041-4fab-ab2b-9ee94ef57dd3" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "fb531e58-0b95-4e83-b783-bf2806d409a5", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "6afa5e9f-20a3-414c-9075-9c1c10ed4246", + "yConfig": [ + { + "color": "#54b399", + "forAccessor": "3ed41f7f-3041-4fab-ab2b-9ee94ef57dd3" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3158230d-f337-4f7c-b6e4-4ef7bb238e1d", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "3158230d-f337-4f7c-b6e4-4ef7bb238e1d", + "title": "Distribution of HTTP Error codes[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-6e2c8ecc-817c-4e37-9f2d-a4fa9d1e24fa", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6e2c8ecc-817c-4e37-9f2d-a4fa9d1e24fa": { + "columnOrder": [ + "981b552d-157e-48e5-bbd0-57ed4f3e1abe", + "f67b2e7d-94fa-4f8b-be9c-9f5a44270aba" + ], + "columns": { + "981b552d-157e-48e5-bbd0-57ed4f3e1abe": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "ut_domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f67b2e7d-94fa-4f8b-be9c-9f5a44270aba", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_name" + }, + "f67b2e7d-94fa-4f8b-be9c-9f5a44270aba": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "981b552d-157e-48e5-bbd0-57ed4f3e1abe" + }, + { + "columnId": "f67b2e7d-94fa-4f8b-be9c-9f5a44270aba" + } + ], + "layerId": "6e2c8ecc-817c-4e37-9f2d-a4fa9d1e24fa", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a7af43a5-7061-4222-b3d1-611f063a4e85", + "w": 24, + "x": 0, + "y": 63 + }, + "panelIndex": "a7af43a5-7061-4222-b3d1-611f063a4e85", + "title": "Top URL's", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-974e273d-499f-40bc-9759-7176653b97e6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "974e273d-499f-40bc-9759-7176653b97e6": { + "columnOrder": [ + "e42ef1c4-97cc-4d69-979d-2f2afc4e7094", + "6b470c1b-a015-47ee-9b85-48ee5c504944" + ], + "columns": { + "6b470c1b-a015-47ee-9b85-48ee5c504944": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e42ef1c4-97cc-4d69-979d-2f2afc4e7094": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.ssl_cipher_suite_id_value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6b470c1b-a015-47ee-9b85-48ee5c504944", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.ssl_cipher_suite_id_value" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6b470c1b-a015-47ee-9b85-48ee5c504944" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "974e273d-499f-40bc-9759-7176653b97e6", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "e42ef1c4-97cc-4d69-979d-2f2afc4e7094", + "yConfig": [ + { + "color": "#5485b3", + "forAccessor": "6b470c1b-a015-47ee-9b85-48ee5c504944" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2ba5611d-c9c5-4ace-bc10-7ca77c30173b", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "2ba5611d-c9c5-4ace-bc10-7ca77c30173b", + "title": "SSL Ciphers[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] App Insights", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:02:09.624Z", + "id": "gigamon-855a64dc-1a72-403f-932b-a5b848378f7e", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "82d13ba0-b304-4852-afd1-6963f658852a:indexpattern-datasource-layer-2f770a63-b087-4627-9eac-4ec02a6860a2", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "f8298c20-12fa-44e3-a9ab-139a3d78d841:indexpattern-datasource-layer-f2bfa25e-3307-4990-9396-2a83c047bd87", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "f8298c20-12fa-44e3-a9ab-139a3d78d841:c8822484-f6d7-438a-8d37-aea5210af207", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9abb6f37-8bf4-4ab6-b5d6-536dc987436d:indexpattern-datasource-layer-5276360b-3935-40fb-81fc-d50d8f9ea03f", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "98f58056-281d-48fe-a045-9fc5975472d8:indexpattern-datasource-layer-66c4f953-6f64-4e94-866f-ea62083a4fc5", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a8ab6b8e-65a7-4b15-9d88-4fe84a04e66a:indexpattern-datasource-layer-ecbac86b-4380-404f-8228-0eebf7bdfc91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a8ab6b8e-65a7-4b15-9d88-4fe84a04e66a:e129a477-9070-430e-a87c-8699b92ac3ce", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "3158230d-f337-4f7c-b6e4-4ef7bb238e1d:indexpattern-datasource-layer-fb531e58-0b95-4e83-b783-bf2806d409a5", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a7af43a5-7061-4222-b3d1-611f063a4e85:indexpattern-datasource-layer-6e2c8ecc-817c-4e37-9f2d-a4fa9d1e24fa", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2ba5611d-c9c5-4ace-bc10-7ca77c30173b:indexpattern-datasource-layer-974e273d-499f-40bc-9759-7176653b97e6", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754.json b/packages/gigamon/kibana/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754.json new file mode 100644 index 00000000000..69c0ce659fa --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754.json @@ -0,0 +1,682 @@ +{ + "attributes": { + "description": "Determining if a URL is benign or malicious by analyzing the URL or its components.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [**URL Analysis**](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 22, + "i": "52292c42-c0a5-4d5a-8a21-7f5dea0d72db", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "52292c42-c0a5-4d5a-8a21-7f5dea0d72db", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-cd856c2a-46c1-4df6-b312-a57d975d7421", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cd856c2a-46c1-4df6-b312-a57d975d7421": { + "columnOrder": [ + "6844ab73-32bb-4053-a050-e6323745a48a", + "a5c06c0e-c278-4cdf-8b3a-eb0a7dc54e8b" + ], + "columns": { + "6844ab73-32bb-4053-a050-e6323745a48a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of gigamon.ami.dns_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a5c06c0e-c278-4cdf-8b3a-eb0a7dc54e8b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_name" + }, + "a5c06c0e-c278-4cdf-8b3a-eb0a7dc54e8b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#f3312b", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#bfe467", + "touched": true, + "type": "colorCode" + }, + { + "colorCode": "#2aee1d", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "cd856c2a-46c1-4df6-b312-a57d975d7421", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "a5c06c0e-c278-4cdf-8b3a-eb0a7dc54e8b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "6844ab73-32bb-4053-a050-e6323745a48a" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "0fdd5c6d-a9fb-4ce9-9e62-b4491a5e2fd7", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "0fdd5c6d-a9fb-4ce9-9e62-b4491a5e2fd7", + "title": "Most Common URL's - Top 10[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-2baf48c3-9fd0-496a-83bc-10fb08c0e185", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "95b7216a-aedc-4964-ac63-824f2ba16b0b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2baf48c3-9fd0-496a-83bc-10fb08c0e185": { + "columnOrder": [ + "7291edf7-169f-4e54-b973-c167cf525f5c", + "d093cc35-d763-4f8f-a180-b76c942acfe1" + ], + "columns": { + "7291edf7-169f-4e54-b973-c167cf525f5c": { + "dataType": "number", + "isBucketed": true, + "label": "Top 25 values of gigamon.ami.dst_port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d093cc35-d763-4f8f-a180-b76c942acfe1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_port" + }, + "d093cc35-d763-4f8f-a180-b76c942acfe1": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.dns_name", + "index": "95b7216a-aedc-4964-ac63-824f2ba16b0b", + "key": "gigamon.ami.dns_name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "gigamon.ami.dns_name" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "kibana_v7_legacy", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2baf48c3-9fd0-496a-83bc-10fb08c0e185", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "d093cc35-d763-4f8f-a180-b76c942acfe1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "7291edf7-169f-4e54-b973-c167cf525f5c" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4648f24d-ab58-4f61-8168-70d53013db9b", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "4648f24d-ab58-4f61-8168-70d53013db9b", + "title": "Port Usage Breakdown[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-b4cb0805-6cc3-4468-8d86-48aa1a0b7db1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "b4cb0805-6cc3-4468-8d86-48aa1a0b7db1": { + "columnOrder": [ + "d3d7ed45-8235-4ab0-b28d-73ee699c05ba", + "28156743-e6eb-45db-8440-4b20d3605ed7" + ], + "columns": { + "28156743-e6eb-45db-8440-4b20d3605ed7": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d3d7ed45-8235-4ab0-b28d-73ee699c05ba": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "28156743-e6eb-45db-8440-4b20d3605ed7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_name" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "d3d7ed45-8235-4ab0-b28d-73ee699c05ba" + }, + { + "columnId": "28156743-e6eb-45db-8440-4b20d3605ed7" + } + ], + "layerId": "b4cb0805-6cc3-4468-8d86-48aa1a0b7db1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "26779c1e-6664-461a-87b5-2694a97b059f", + "w": 24, + "x": 0, + "y": 22 + }, + "panelIndex": "26779c1e-6664-461a-87b5-2694a97b059f", + "title": "Number of Events Per URL[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-041a0381-2bfb-4cd9-873d-19dce5f12fc9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "041a0381-2bfb-4cd9-873d-19dce5f12fc9": { + "columnOrder": [ + "bfc963a5-2153-4879-b559-1bb76a950438", + "fbf41e2b-8e6a-4592-a0fe-a5d619cb8159", + "1cd730e6-4d07-4f73-a00b-c4c461b4813e" + ], + "columns": { + "1cd730e6-4d07-4f73-a00b-c4c461b4813e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bfc963a5-2153-4879-b559-1bb76a950438": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "fbf41e2b-8e6a-4592-a0fe-a5d619cb8159": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of gigamon.ami.dns_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1cd730e6-4d07-4f73-a00b-c4c461b4813e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1cd730e6-4d07-4f73-a00b-c4c461b4813e" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "041a0381-2bfb-4cd9-873d-19dce5f12fc9", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "fbf41e2b-8e6a-4592-a0fe-a5d619cb8159", + "xAccessor": "bfc963a5-2153-4879-b559-1bb76a950438" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "8ecd545c-6fc8-49f4-8612-29ce91f43b63", + "w": 24, + "x": 0, + "y": 37 + }, + "panelIndex": "8ecd545c-6fc8-49f4-8612-29ce91f43b63", + "title": "URL Activity[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] URL Analysis", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:07:49.927Z", + "id": "gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "0fdd5c6d-a9fb-4ce9-9e62-b4491a5e2fd7:indexpattern-datasource-layer-cd856c2a-46c1-4df6-b312-a57d975d7421", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "4648f24d-ab58-4f61-8168-70d53013db9b:indexpattern-datasource-layer-2baf48c3-9fd0-496a-83bc-10fb08c0e185", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "4648f24d-ab58-4f61-8168-70d53013db9b:95b7216a-aedc-4964-ac63-824f2ba16b0b", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "26779c1e-6664-461a-87b5-2694a97b059f:indexpattern-datasource-layer-b4cb0805-6cc3-4468-8d86-48aa1a0b7db1", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "8ecd545c-6fc8-49f4-8612-29ce91f43b63:indexpattern-datasource-layer-041a0381-2bfb-4cd9-873d-19dce5f12fc9", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787.json b/packages/gigamon/kibana/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787.json new file mode 100644 index 00000000000..27695403cb4 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787.json @@ -0,0 +1,1212 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [**Top Traffic Sources and Destinations**](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "9dd98f7e-00fe-49ba-a5a5-a19ae6b62d45", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "9dd98f7e-00fe-49ba-a5a5-a19ae6b62d45", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-3dd7de9b-2674-43e2-9f03-179267084b90", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3dd7de9b-2674-43e2-9f03-179267084b90": { + "columnOrder": [ + "2a289592-f71f-4235-974f-a3b49f5094d0" + ], + "columns": { + "2a289592-f71f-4235-974f-a3b49f5094d0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Distinct Source Ports", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.src_port" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "color": "#e4cd66", + "layerId": "3dd7de9b-2674-43e2-9f03-179267084b90", + "layerType": "data", + "metricAccessor": "2a289592-f71f-4235-974f-a3b49f5094d0", + "showBar": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 13, + "i": "6f8364bf-0889-4fcf-b93e-7bbe4a2e5a2f", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "6f8364bf-0889-4fcf-b93e-7bbe4a2e5a2f", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-684ec40c-0c1f-4071-bc86-2912815b5999", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "684ec40c-0c1f-4071-bc86-2912815b5999": { + "columnOrder": [ + "c97b3714-be01-4926-b743-90a30d756c0e", + "1603c076-6ce6-410f-8756-e435f560cedd" + ], + "columns": { + "1603c076-6ce6-410f-8756-e435f560cedd": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c97b3714-be01-4926-b743-90a30d756c0e": { + "dataType": "number", + "isBucketed": true, + "label": "Top 25 values of gigamon.ami.dst_port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1603c076-6ce6-410f-8756-e435f560cedd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_port" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 3, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + }, + { + "colorCode": "#1fc0ec", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#9cc698", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "684ec40c-0c1f-4071-bc86-2912815b5999", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "1603c076-6ce6-410f-8756-e435f560cedd" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "c97b3714-be01-4926-b743-90a30d756c0e" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "af30586c-75b3-4cf7-8068-26dd00cf5015", + "w": 24, + "x": 24, + "y": 13 + }, + "panelIndex": "af30586c-75b3-4cf7-8068-26dd00cf5015", + "title": "Top Destination Ports[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-4df04fa8-fb80-477b-9ba1-9cf4a934a83a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4df04fa8-fb80-477b-9ba1-9cf4a934a83a": { + "columnOrder": [ + "edb81aaf-c2f7-435e-a83f-b1ad8183a52e", + "5c632bbc-7477-49c6-86ba-dfbab9a43422" + ], + "columns": { + "5c632bbc-7477-49c6-86ba-dfbab9a43422": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "edb81aaf-c2f7-435e-a83f-b1ad8183a52e": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Top Source ports", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5c632bbc-7477-49c6-86ba-dfbab9a43422", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_port" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#b52a71", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#343c8f", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#dddd30", + "touched": true, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4df04fa8-fb80-477b-9ba1-9cf4a934a83a", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "5c632bbc-7477-49c6-86ba-dfbab9a43422" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "edb81aaf-c2f7-435e-a83f-b1ad8183a52e" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a50fa397-cb54-42c9-aaad-f04f7799893b", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "a50fa397-cb54-42c9-aaad-f04f7799893b", + "title": "Top Source Ports[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-403b61f1-7a19-449b-bd4a-f8e479cf992c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "403b61f1-7a19-449b-bd4a-f8e479cf992c": { + "columnOrder": [ + "3875653f-ef59-42df-a97e-d277739205d7", + "ecc4de4c-4340-4a02-9fe2-8b4cf363a7c1" + ], + "columns": { + "3875653f-ef59-42df-a97e-d277739205d7": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 10 values of gigamon.ami.dst_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ecc4de4c-4340-4a02-9fe2-8b4cf363a7c1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "ecc4de4c-4340-4a02-9fe2-8b4cf363a7c1": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 0, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 2, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + }, + { + "colorIndex": 6, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "403b61f1-7a19-449b-bd4a-f8e479cf992c", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "ecc4de4c-4340-4a02-9fe2-8b4cf363a7c1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3875653f-ef59-42df-a97e-d277739205d7" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "535537dd-8986-4f20-81bc-762050441e30", + "w": 24, + "x": 24, + "y": 28 + }, + "panelIndex": "535537dd-8986-4f20-81bc-762050441e30", + "title": "Top 10 Destinations[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-46fcaaf9-668c-4079-a818-8e3371c526ec", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "46fcaaf9-668c-4079-a818-8e3371c526ec": { + "columnOrder": [ + "578ad0ba-7116-481a-823c-9fc067a6e6db" + ], + "columns": { + "578ad0ba-7116-481a-823c-9fc067a6e6db": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Distinct Destination Ports", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "gigamon.ami.dst_port" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "color": "#9170B8", + "layerId": "46fcaaf9-668c-4079-a818-8e3371c526ec", + "layerType": "data", + "metricAccessor": "578ad0ba-7116-481a-823c-9fc067a6e6db" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "37f1214d-ab60-4e57-9f2e-11784a6b8cc4", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "37f1214d-ab60-4e57-9f2e-11784a6b8cc4", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-aa7adcfb-0485-48f9-9e46-64a74505c5fd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "aa7adcfb-0485-48f9-9e46-64a74505c5fd": { + "columnOrder": [ + "167786df-704b-4425-acf4-ced7106b3d1e", + "211993c9-872d-4be8-bf97-32bc020dd905", + "bf957b0e-de15-4c2d-a4fc-ded5eb179054" + ], + "columns": { + "167786df-704b-4425-acf4-ced7106b3d1e": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 20 values of gigamon.ami.src_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf957b0e-de15-4c2d-a4fc-ded5eb179054", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "211993c9-872d-4be8-bf97-32bc020dd905": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bf957b0e-de15-4c2d-a4fc-ded5eb179054": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bf957b0e-de15-4c2d-a4fc-ded5eb179054" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "kibana_v7_legacy", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "aa7adcfb-0485-48f9-9e46-64a74505c5fd", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "167786df-704b-4425-acf4-ced7106b3d1e", + "xAccessor": "211993c9-872d-4be8-bf97-32bc020dd905" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "afad47ae-823e-42b0-969e-9cb3089b8dd9", + "w": 24, + "x": 24, + "y": 43 + }, + "panelIndex": "afad47ae-823e-42b0-969e-9cb3089b8dd9", + "title": "Top Source traffic over time[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-4babe8af-f2c9-4bab-9cd0-8bc1275cbd61", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "4babe8af-f2c9-4bab-9cd0-8bc1275cbd61": { + "columnOrder": [ + "0f930a61-4614-41c3-81b1-54a396de3cc2", + "93706035-95eb-43bd-a491-8005fcc7e1a7" + ], + "columns": { + "0f930a61-4614-41c3-81b1-54a396de3cc2": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 10 values of gigamon.ami.src_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "93706035-95eb-43bd-a491-8005fcc7e1a7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "93706035-95eb-43bd-a491-8005fcc7e1a7": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#d78338", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#a09787", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#89d658", + "touched": true, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4babe8af-f2c9-4bab-9cd0-8bc1275cbd61", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "93706035-95eb-43bd-a491-8005fcc7e1a7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0f930a61-4614-41c3-81b1-54a396de3cc2" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "52ecf662-7933-4de2-be81-5f61baeb9db5", + "w": 24, + "x": 0, + "y": 48 + }, + "panelIndex": "52ecf662-7933-4de2-be81-5f61baeb9db5", + "title": "Top 10 Sources[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-8490641b-b909-47f5-85f7-0d4904867eae", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8490641b-b909-47f5-85f7-0d4904867eae": { + "columnOrder": [ + "bfea9964-b2b6-4ff7-b5fa-8ef6a713520a", + "f3fbee1a-ac43-4986-8815-8b141deb6199", + "346bbf6a-c049-4523-9a3d-136b42da3aaa" + ], + "columns": { + "346bbf6a-c049-4523-9a3d-136b42da3aaa": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bfea9964-b2b6-4ff7-b5fa-8ef6a713520a": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 20 values of gigamon.ami.dst_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "346bbf6a-c049-4523-9a3d-136b42da3aaa", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "f3fbee1a-ac43-4986-8815-8b141deb6199": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "346bbf6a-c049-4523-9a3d-136b42da3aaa" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "elastic_brand_2023", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8490641b-b909-47f5-85f7-0d4904867eae", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "bfea9964-b2b6-4ff7-b5fa-8ef6a713520a", + "xAccessor": "f3fbee1a-ac43-4986-8815-8b141deb6199" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "23a2dec7-0607-45a6-a5f0-175fbd4638c5", + "w": 24, + "x": 0, + "y": 63 + }, + "panelIndex": "23a2dec7-0607-45a6-a5f0-175fbd4638c5", + "title": "Top Destination traffic over time[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Top Traffic Sources and Destinations", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:03:56.659Z", + "id": "gigamon-d6cecabb-f026-4823-914d-b4d61fd61787", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "6f8364bf-0889-4fcf-b93e-7bbe4a2e5a2f:indexpattern-datasource-layer-3dd7de9b-2674-43e2-9f03-179267084b90", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "af30586c-75b3-4cf7-8068-26dd00cf5015:indexpattern-datasource-layer-684ec40c-0c1f-4071-bc86-2912815b5999", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a50fa397-cb54-42c9-aaad-f04f7799893b:indexpattern-datasource-layer-4df04fa8-fb80-477b-9ba1-9cf4a934a83a", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "535537dd-8986-4f20-81bc-762050441e30:indexpattern-datasource-layer-403b61f1-7a19-449b-bd4a-f8e479cf992c", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "37f1214d-ab60-4e57-9f2e-11784a6b8cc4:indexpattern-datasource-layer-46fcaaf9-668c-4079-a818-8e3371c526ec", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "afad47ae-823e-42b0-969e-9cb3089b8dd9:indexpattern-datasource-layer-aa7adcfb-0485-48f9-9e46-64a74505c5fd", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "52ecf662-7933-4de2-be81-5f61baeb9db5:indexpattern-datasource-layer-4babe8af-f2c9-4bab-9cd0-8bc1275cbd61", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "23a2dec7-0607-45a6-a5f0-175fbd4638c5:indexpattern-datasource-layer-8490641b-b909-47f5-85f7-0d4904867eae", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8.json b/packages/gigamon/kibana/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8.json new file mode 100644 index 00000000000..10dccca03c1 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8.json @@ -0,0 +1,2771 @@ +{ + "attributes": { + "description": "Shining a light on Client browsers, Server Software, http versions, http methods, URLs, error codes etc", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [**Web Traffic Details**](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "bf518256-1fcf-4484-8809-462128f83aa4", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "bf518256-1fcf-4484-8809-462128f83aa4", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-6653e941-2b11-4e99-8cf6-7b536389759d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6653e941-2b11-4e99-8cf6-7b536389759d": { + "columnOrder": [ + "0f7e88f1-9512-4990-a8dd-5c14f13b1888", + "00b347cd-94af-4f35-ac08-dadfaa522984" + ], + "columns": { + "00b347cd-94af-4f35-ac08-dadfaa522984": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "0f7e88f1-9512-4990-a8dd-5c14f13b1888": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Client Browsers", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "00b347cd-94af-4f35-ac08-dadfaa522984", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_user_agent" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#687873", + "touched": true, + "type": "colorCode" + }, + { + "colorCode": "#f1a3a2", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#a3c7e9", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "6653e941-2b11-4e99-8cf6-7b536389759d", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "00b347cd-94af-4f35-ac08-dadfaa522984" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0f7e88f1-9512-4990-a8dd-5c14f13b1888" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "9236f79d-61f7-404a-8822-17ef4496b7d6", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "9236f79d-61f7-404a-8822-17ef4496b7d6", + "title": "CLient Browsers[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-42ff257f-c3e4-45a0-9b1f-fc81a1882379", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "42ff257f-c3e4-45a0-9b1f-fc81a1882379": { + "columnOrder": [ + "d1adea58-258f-425b-84e4-794dd26a3454", + "c693786a-3905-452c-911e-9a883dcc0a15" + ], + "columns": { + "c693786a-3905-452c-911e-9a883dcc0a15": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d1adea58-258f-425b-84e4-794dd26a3454": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.http_method", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c693786a-3905-452c-911e-9a883dcc0a15", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_method" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c693786a-3905-452c-911e-9a883dcc0a15" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "42ff257f-c3e4-45a0-9b1f-fc81a1882379", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "d1adea58-258f-425b-84e4-794dd26a3454", + "yConfig": [ + { + "color": "#39de20", + "forAccessor": "c693786a-3905-452c-911e-9a883dcc0a15" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "0c4c7a41-4eb9-4389-9c0f-dd395676c84a", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "0c4c7a41-4eb9-4389-9c0f-dd395676c84a", + "title": "Methods[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-9a30d6db-4434-4567-9300-acbb289bbc91", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9a30d6db-4434-4567-9300-acbb289bbc91": { + "columnOrder": [ + "166d51f3-eff3-4fd4-aa2f-e9ab8b9dcb3e", + "3af067b4-b8be-41cf-bfad-3b321060fe64" + ], + "columns": { + "166d51f3-eff3-4fd4-aa2f-e9ab8b9dcb3e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Web Applications", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "http", + "https", + "http2" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3af067b4-b8be-41cf-bfad-3b321060fe64", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "3af067b4-b8be-41cf-bfad-3b321060fe64": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#f12b95", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#41bde7", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#9535ef", + "touched": true, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "9a30d6db-4434-4567-9300-acbb289bbc91", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "3af067b4-b8be-41cf-bfad-3b321060fe64" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "166d51f3-eff3-4fd4-aa2f-e9ab8b9dcb3e" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "8c016cce-649d-4cdb-a7df-e88685e7ee43", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "8c016cce-649d-4cdb-a7df-e88685e7ee43", + "title": "Encrypted vs Non Encrypted Traffic[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-f5aa0548-7204-4fe7-ae54-91c762a05ddd", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9e00affd-603f-47dc-8524-9248c20ef8dc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f5aa0548-7204-4fe7-ae54-91c762a05ddd": { + "columnOrder": [ + "65238739-3756-4f10-99ac-23b81b72a0dc", + "b498e653-30bc-44eb-8aed-a3425d27d8ad" + ], + "columns": { + "65238739-3756-4f10-99ac-23b81b72a0dc": { + "dataType": "number", + "isBucketed": true, + "label": "Top 25 values of gigamon.ami.http_code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b498e653-30bc-44eb-8aed-a3425d27d8ad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_code" + }, + "b498e653-30bc-44eb-8aed-a3425d27d8ad": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.http_code", + "index": "9e00affd-603f-47dc-8524-9248c20ef8dc", + "key": "gigamon.ami.http_code", + "negate": false, + "params": { + "gte": "400" + }, + "type": "range", + "value": { + "gte": "400" + } + }, + "query": { + "range": { + "gigamon.ami.http_code": { + "gte": "400" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorCode": "#c31ef5", + "touched": false, + "type": "colorCode" + }, + { + "colorCode": "#f00c56", + "touched": true, + "type": "colorCode" + }, + { + "colorCode": "#1185ef", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f5aa0548-7204-4fe7-ae54-91c762a05ddd", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "b498e653-30bc-44eb-8aed-a3425d27d8ad" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "65238739-3756-4f10-99ac-23b81b72a0dc" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a31e20d6-3010-44c4-b685-8a00a8698947", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "a31e20d6-3010-44c4-b685-8a00a8698947", + "title": "Error codes[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-f9a9aa82-c81c-45f0-9f40-d1bdb7a0a44b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f9a9aa82-c81c-45f0-9f40-d1bdb7a0a44b": { + "columnOrder": [ + "d8c09b4e-56e6-402b-aa74-1287c6e24889", + "b948f724-6163-471f-b55b-438e8d5d366a" + ], + "columns": { + "b948f724-6163-471f-b55b-438e8d5d366a": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d8c09b4e-56e6-402b-aa74-1287c6e24889": { + "dataType": "string", + "isBucketed": true, + "label": "Top 25 values of gigamon.ami.http_server_agent", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b948f724-6163-471f-b55b-438e8d5d366a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_server_agent" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 4, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 6, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 3, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f9a9aa82-c81c-45f0-9f40-d1bdb7a0a44b", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "b948f724-6163-471f-b55b-438e8d5d366a" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "d8c09b4e-56e6-402b-aa74-1287c6e24889" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "49610792-b5f4-4920-9012-bed8ef370218", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "49610792-b5f4-4920-9012-bed8ef370218", + "title": "Server Software[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Port 0 communication most likely used by Attackers or Misconfigured Apps", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 3, + "i": "3bea4490-8302-40a5-93ee-771dc409b482", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "3bea4490-8302-40a5-93ee-771dc409b482", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-52f8c4eb-efe2-46ef-a2a1-48f38c5d2e60", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "52f8c4eb-efe2-46ef-a2a1-48f38c5d2e60": { + "columnOrder": [ + "e7f25707-762e-436b-b97e-bd60189298e3", + "80056f39-cc0f-452b-8d62-da7159be5299", + "a898dbab-6b26-405b-b64d-d890adca684b", + "545df12a-daf9-4537-b444-6b4c68e4373a", + "3e8aedfe-f53a-4352-9815-5dc7cdd7b1ca", + "3b212733-3584-4447-ad52-73674e71ff35" + ], + "columns": { + "3b212733-3584-4447-ad52-73674e71ff35": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3e8aedfe-f53a-4352-9815-5dc7cdd7b1ca": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Http Server", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3b212733-3584-4447-ad52-73674e71ff35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_server" + }, + "545df12a-daf9-4537-b444-6b4c68e4373a": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Source port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + 0 + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3b212733-3584-4447-ad52-73674e71ff35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_port" + }, + "80056f39-cc0f-452b-8d62-da7159be5299": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3b212733-3584-4447-ad52-73674e71ff35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "a898dbab-6b26-405b-b64d-d890adca684b": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination Port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + 0 + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3b212733-3584-4447-ad52-73674e71ff35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_port" + }, + "e7f25707-762e-436b-b97e-bd60189298e3": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3b212733-3584-4447-ad52-73674e71ff35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "e7f25707-762e-436b-b97e-bd60189298e3", + "isTransposed": false + }, + { + "columnId": "80056f39-cc0f-452b-8d62-da7159be5299", + "isTransposed": false + }, + { + "columnId": "a898dbab-6b26-405b-b64d-d890adca684b", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "545df12a-daf9-4537-b444-6b4c68e4373a", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "3e8aedfe-f53a-4352-9815-5dc7cdd7b1ca", + "isTransposed": false + }, + { + "columnId": "3b212733-3584-4447-ad52-73674e71ff35", + "isTransposed": false + } + ], + "layerId": "52f8c4eb-efe2-46ef-a2a1-48f38c5d2e60", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "35be4b1b-e979-4994-956d-161df3c542df", + "w": 24, + "x": 24, + "y": 48 + }, + "panelIndex": "35be4b1b-e979-4994-956d-161df3c542df", + "title": "Connection on reserved port 0[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-6f432d24-4cfb-4fae-9c30-59d320818535", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6f432d24-4cfb-4fae-9c30-59d320818535": { + "columnOrder": [ + "556dc77a-5cf2-4f94-9a00-b6bfb1a4e2f3", + "0d55aeae-2a7e-4115-8366-c0530f525b1f" + ], + "columns": { + "0d55aeae-2a7e-4115-8366-c0530f525b1f": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "556dc77a-5cf2-4f94-9a00-b6bfb1a4e2f3": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.http_version", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0d55aeae-2a7e-4115-8366-c0530f525b1f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_version" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "0d55aeae-2a7e-4115-8366-c0530f525b1f" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "6f432d24-4cfb-4fae-9c30-59d320818535", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "556dc77a-5cf2-4f94-9a00-b6bfb1a4e2f3", + "yConfig": [ + { + "color": "#f22090", + "forAccessor": "0d55aeae-2a7e-4115-8366-c0530f525b1f" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e721ba83-d8a0-4e87-aec3-cef7372f8740", + "w": 24, + "x": 0, + "y": 51 + }, + "panelIndex": "e721ba83-d8a0-4e87-aec3-cef7372f8740", + "title": "Versions[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-b770cd6b-b887-413e-8cdc-c938199efa2c", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "62e73998-8469-4073-8224-b341e39886f1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b770cd6b-b887-413e-8cdc-c938199efa2c": { + "columnOrder": [ + "145a3f3d-4859-465a-8f97-63efeeb664e0", + "5ec8b084-ccb0-47d3-963f-8adadd05df0c", + "44adc3dc-85b7-4338-9809-105b7b7b5680", + "1f50a612-b374-4666-82f6-a9a4ee93aba1", + "5c1933ca-aa28-466d-b0c6-71d74fdd66ec", + "f5e76e2c-206b-44a1-ac2f-86d380df92ec" + ], + "columns": { + "145a3f3d-4859-465a-8f97-63efeeb664e0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f5e76e2c-206b-44a1-ac2f-86d380df92ec", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "1f50a612-b374-4666-82f6-a9a4ee93aba1": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Source port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f5e76e2c-206b-44a1-ac2f-86d380df92ec", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_port" + }, + "44adc3dc-85b7-4338-9809-105b7b7b5680": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f5e76e2c-206b-44a1-ac2f-86d380df92ec", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "5c1933ca-aa28-466d-b0c6-71d74fdd66ec": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f5e76e2c-206b-44a1-ac2f-86d380df92ec", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_port" + }, + "5ec8b084-ccb0-47d3-963f-8adadd05df0c": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f5e76e2c-206b-44a1-ac2f-86d380df92ec", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "f5e76e2c-206b-44a1-ac2f-86d380df92ec": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "62e73998-8469-4073-8224-b341e39886f1", + "key": "gigamon.ami.app_name", + "negate": false, + "params": { + "query": "http2" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "gigamon.ami.app_name": "http2" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "5ec8b084-ccb0-47d3-963f-8adadd05df0c", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "44adc3dc-85b7-4338-9809-105b7b7b5680", + "isTransposed": false + }, + { + "columnId": "145a3f3d-4859-465a-8f97-63efeeb664e0", + "isTransposed": false + }, + { + "columnId": "f5e76e2c-206b-44a1-ac2f-86d380df92ec", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "1f50a612-b374-4666-82f6-a9a4ee93aba1", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "5c1933ca-aa28-466d-b0c6-71d74fdd66ec", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "b770cd6b-b887-413e-8cdc-c938199efa2c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a2607495-befa-4003-8135-3b853f5d681d", + "w": 24, + "x": 24, + "y": 63 + }, + "panelIndex": "a2607495-befa-4003-8135-3b853f5d681d", + "title": "Http2 session info[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-dd0c1ad5-68d7-4b28-853e-6a26f853ca4d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dd0c1ad5-68d7-4b28-853e-6a26f853ca4d": { + "columnOrder": [ + "e4bb3466-deed-47e5-bcbb-eaccca75616a", + "8efe08f5-376d-423c-93ec-f547b9fd9318" + ], + "columns": { + "8efe08f5-376d-423c-93ec-f547b9fd9318": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e4bb3466-deed-47e5-bcbb-eaccca75616a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.http_referer", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8efe08f5-376d-423c-93ec-f547b9fd9318", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_referer" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 5, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 4, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + }, + { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "dd0c1ad5-68d7-4b28-853e-6a26f853ca4d", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "8efe08f5-376d-423c-93ec-f547b9fd9318" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "e4bb3466-deed-47e5-bcbb-eaccca75616a" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "c6ed4dc3-69db-48f3-9b49-c6ea39f901b4", + "w": 24, + "x": 0, + "y": 66 + }, + "panelIndex": "c6ed4dc3-69db-48f3-9b49-c6ea39f901b4", + "title": "Top Referer sites[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Common unsafe HTTP methods are POST, PUT and DELETE", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 3, + "i": "0c451745-8351-4057-8b2b-10e4613ab790", + "w": 24, + "x": 24, + "y": 78 + }, + "panelIndex": "0c451745-8351-4057-8b2b-10e4613ab790", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-d2c430c7-08e1-46ee-86f1-95f74dcbded4", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "626d397a-5863-44a3-9644-dcf830489401", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d2c430c7-08e1-46ee-86f1-95f74dcbded4": { + "columnOrder": [ + "3d7f60fe-f7d2-49ce-9698-54d91b393a02", + "173a8ce4-606e-4e70-8863-d144052944cb", + "fb75c371-1b31-4315-9643-efef9327358d", + "e7a080f9-6b78-497a-ab17-9c33a8f515f0", + "d64ac9fb-8cbb-4d7e-acd0-7a9957b8b94b", + "9e8fa9b8-35af-43b6-b203-ce34d5551d2a", + "545b637a-7e8c-4a7b-986a-e0675ba46401", + "57abd24d-01f7-4096-8545-14b4d4bc6b69" + ], + "columns": { + "173a8ce4-606e-4e70-8863-d144052944cb": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "3d7f60fe-f7d2-49ce-9698-54d91b393a02": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 14 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "545b637a-7e8c-4a7b-986a-e0675ba46401": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Server Software", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_server_agent" + }, + "57abd24d-01f7-4096-8545-14b4d4bc6b69": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9e8fa9b8-35af-43b6-b203-ce34d5551d2a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Client Browser", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_user_agent" + }, + "d64ac9fb-8cbb-4d7e-acd0-7a9957b8b94b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "time taken", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_rtt" + }, + "e7a080f9-6b78-497a-ab17-9c33a8f515f0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Uri", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_uri" + }, + "fb75c371-1b31-4315-9643-efef9327358d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Web server", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_server" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.app_name", + "index": "626d397a-5863-44a3-9644-dcf830489401", + "key": "gigamon.ami.app_name", + "negate": false, + "params": { + "query": "http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "gigamon.ami.app_name": "http" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "fb75c371-1b31-4315-9643-efef9327358d", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "e7a080f9-6b78-497a-ab17-9c33a8f515f0", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "d64ac9fb-8cbb-4d7e-acd0-7a9957b8b94b", + "isTransposed": false + }, + { + "columnId": "57abd24d-01f7-4096-8545-14b4d4bc6b69", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "9e8fa9b8-35af-43b6-b203-ce34d5551d2a", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "545b637a-7e8c-4a7b-986a-e0675ba46401", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "3d7f60fe-f7d2-49ce-9698-54d91b393a02", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "173a8ce4-606e-4e70-8863-d144052944cb", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "d2c430c7-08e1-46ee-86f1-95f74dcbded4", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2118f875-bcca-44fd-a40f-18b047fc61ac", + "w": 24, + "x": 0, + "y": 81 + }, + "panelIndex": "2118f875-bcca-44fd-a40f-18b047fc61ac", + "title": "Web Session Info[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-7ae3bfcf-251d-41f4-af53-a381f40e04e4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7ae3bfcf-251d-41f4-af53-a381f40e04e4": { + "columnOrder": [ + "40017f28-31f4-459a-af84-c89f9bb8a554", + "9a84eebb-574c-435f-a66f-2e46bce11e12", + "41840859-a3c1-452d-905b-219a0e03912d", + "4f9f2efb-baff-4a10-be1d-8136862089ba", + "fc73c13d-4797-4be7-bd64-912ddccfc675", + "20b1c8a5-ce9e-4214-af50-a69650952be8" + ], + "columns": { + "20b1c8a5-ce9e-4214-af50-a69650952be8": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "40017f28-31f4-459a-af84-c89f9bb8a554": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Http method", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [ + "POST", + "PUT", + "DELETE" + ], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "20b1c8a5-ce9e-4214-af50-a69650952be8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_method" + }, + "41840859-a3c1-452d-905b-219a0e03912d": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "20b1c8a5-ce9e-4214-af50-a69650952be8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "4f9f2efb-baff-4a10-be1d-8136862089ba": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "20b1c8a5-ce9e-4214-af50-a69650952be8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "9a84eebb-574c-435f-a66f-2e46bce11e12": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "20b1c8a5-ce9e-4214-af50-a69650952be8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_file_type" + }, + "fc73c13d-4797-4be7-bd64-912ddccfc675": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Web server", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "20b1c8a5-ce9e-4214-af50-a69650952be8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_server" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "40017f28-31f4-459a-af84-c89f9bb8a554", + "isTransposed": false + }, + { + "columnId": "41840859-a3c1-452d-905b-219a0e03912d", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "4f9f2efb-baff-4a10-be1d-8136862089ba", + "isTransposed": false + }, + { + "columnId": "20b1c8a5-ce9e-4214-af50-a69650952be8", + "isTransposed": false + }, + { + "columnId": "fc73c13d-4797-4be7-bd64-912ddccfc675", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "9a84eebb-574c-435f-a66f-2e46bce11e12", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "7ae3bfcf-251d-41f4-af53-a381f40e04e4", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "15bf7ddc-aa4f-4698-b9c1-a42ac68ef94a", + "w": 24, + "x": 24, + "y": 81 + }, + "panelIndex": "15bf7ddc-aa4f-4698-b9c1-a42ac68ef94a", + "title": "Session info for unsafe Http methods[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-0d2c6675-2841-4e00-a502-a80b7aee1da3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0d2c6675-2841-4e00-a502-a80b7aee1da3": { + "columnOrder": [ + "e08d0744-79fe-4ec8-b3fe-a24e6919d3ad", + "f0d95021-4e2d-49dd-b5f9-1e4500d00293", + "25753565-a563-449f-b5fa-4c788f12a4c6", + "099e6663-ffce-478b-878f-eeab2c02fbb6", + "c647b014-a149-4307-8b64-5f101a4ba7c3" + ], + "columns": { + "099e6663-ffce-478b-878f-eeab2c02fbb6": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination port", + "operationType": "terms", + "params": { + "exclude": [ + 80 + ], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c647b014-a149-4307-8b64-5f101a4ba7c3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_port" + }, + "25753565-a563-449f-b5fa-4c788f12a4c6": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Source port", + "operationType": "terms", + "params": { + "exclude": [ + 80 + ], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c647b014-a149-4307-8b64-5f101a4ba7c3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 13 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_port" + }, + "c647b014-a149-4307-8b64-5f101a4ba7c3": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e08d0744-79fe-4ec8-b3fe-a24e6919d3ad": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c647b014-a149-4307-8b64-5f101a4ba7c3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "f0d95021-4e2d-49dd-b5f9-1e4500d00293": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c647b014-a149-4307-8b64-5f101a4ba7c3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "e08d0744-79fe-4ec8-b3fe-a24e6919d3ad", + "isTransposed": false + }, + { + "columnId": "f0d95021-4e2d-49dd-b5f9-1e4500d00293", + "isTransposed": false + }, + { + "columnId": "c647b014-a149-4307-8b64-5f101a4ba7c3", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "25753565-a563-449f-b5fa-4c788f12a4c6", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "099e6663-ffce-478b-878f-eeab2c02fbb6", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "0d2c6675-2841-4e00-a502-a80b7aee1da3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Communication outside port 80", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2d34d4b2-a3fd-41e3-afb0-0c6f7e84aa9c", + "w": 24, + "x": 0, + "y": 96 + }, + "panelIndex": "2d34d4b2-a3fd-41e3-afb0-0c6f7e84aa9c", + "title": "Http communication on non-standard ports[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-fcbe6558-dee4-4eac-bac0-f3f340630af1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fcbe6558-dee4-4eac-bac0-f3f340630af1": { + "columnOrder": [ + "77ca8c87-1e06-4a9f-ae1d-6913ff560487", + "d9dd92d7-ebbf-49e8-9ff7-f0b630d16865" + ], + "columns": { + "77ca8c87-1e06-4a9f-ae1d-6913ff560487": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.http_file_type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d9dd92d7-ebbf-49e8-9ff7-f0b630d16865", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_file_type" + }, + "d9dd92d7-ebbf-49e8-9ff7-f0b630d16865": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 4, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "fcbe6558-dee4-4eac-bac0-f3f340630af1", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "d9dd92d7-ebbf-49e8-9ff7-f0b630d16865" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "77ca8c87-1e06-4a9f-ae1d-6913ff560487" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "031caf31-94df-4ae9-b8db-048c6087d60d", + "w": 24, + "x": 24, + "y": 96 + }, + "panelIndex": "031caf31-94df-4ae9-b8db-048c6087d60d", + "title": "File types[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Web Traffic details", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:08:24.090Z", + "id": "gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9236f79d-61f7-404a-8822-17ef4496b7d6:indexpattern-datasource-layer-6653e941-2b11-4e99-8cf6-7b536389759d", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "0c4c7a41-4eb9-4389-9c0f-dd395676c84a:indexpattern-datasource-layer-42ff257f-c3e4-45a0-9b1f-fc81a1882379", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "8c016cce-649d-4cdb-a7df-e88685e7ee43:indexpattern-datasource-layer-9a30d6db-4434-4567-9300-acbb289bbc91", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a31e20d6-3010-44c4-b685-8a00a8698947:indexpattern-datasource-layer-f5aa0548-7204-4fe7-ae54-91c762a05ddd", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a31e20d6-3010-44c4-b685-8a00a8698947:9e00affd-603f-47dc-8524-9248c20ef8dc", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "49610792-b5f4-4920-9012-bed8ef370218:indexpattern-datasource-layer-f9a9aa82-c81c-45f0-9f40-d1bdb7a0a44b", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "35be4b1b-e979-4994-956d-161df3c542df:indexpattern-datasource-layer-52f8c4eb-efe2-46ef-a2a1-48f38c5d2e60", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "e721ba83-d8a0-4e87-aec3-cef7372f8740:indexpattern-datasource-layer-6f432d24-4cfb-4fae-9c30-59d320818535", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a2607495-befa-4003-8135-3b853f5d681d:indexpattern-datasource-layer-b770cd6b-b887-413e-8cdc-c938199efa2c", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a2607495-befa-4003-8135-3b853f5d681d:62e73998-8469-4073-8224-b341e39886f1", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "c6ed4dc3-69db-48f3-9b49-c6ea39f901b4:indexpattern-datasource-layer-dd0c1ad5-68d7-4b28-853e-6a26f853ca4d", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2118f875-bcca-44fd-a40f-18b047fc61ac:indexpattern-datasource-layer-d2c430c7-08e1-46ee-86f1-95f74dcbded4", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2118f875-bcca-44fd-a40f-18b047fc61ac:626d397a-5863-44a3-9644-dcf830489401", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "15bf7ddc-aa4f-4698-b9c1-a42ac68ef94a:indexpattern-datasource-layer-7ae3bfcf-251d-41f4-af53-a381f40e04e4", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2d34d4b2-a3fd-41e3-afb0-0c6f7e84aa9c:indexpattern-datasource-layer-0d2c6675-2841-4e00-a502-a80b7aee1da3", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "031caf31-94df-4ae9-b8db-048c6087d60d:indexpattern-datasource-layer-fcbe6558-dee4-4eac-bac0-f3f340630af1", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae.json b/packages/gigamon/kibana/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae.json new file mode 100644 index 00000000000..f8cdd854ba2 --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae.json @@ -0,0 +1,1785 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [Troubleshooting Insights for Network traffic](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [**Unsanctioned Peer to Peer Apps**](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "c8146cae-e7ee-4f9c-bf73-bdc589c42ee7", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "c8146cae-e7ee-4f9c-bf73-bdc589c42ee7", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-c40b1d67-8d61-453a-a436-aa99ea61cc06", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c40b1d67-8d61-453a-a436-aa99ea61cc06": { + "columnOrder": [ + "9b138a5d-7c4e-4475-af7b-ce4cd2df3778", + "808849c3-9058-41a9-a41b-c1fc6050cf5c", + "be77ae20-f81f-44e2-a251-fbb449e9a057" + ], + "columns": { + "808849c3-9058-41a9-a41b-c1fc6050cf5c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9b138a5d-7c4e-4475-af7b-ce4cd2df3778": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of gigamon.ami.dns_query", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "be77ae20-f81f-44e2-a251-fbb449e9a057", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_query" + }, + "be77ae20-f81f-44e2-a251-fbb449e9a057": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "be77ae20-f81f-44e2-a251-fbb449e9a057" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 6, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorCode": "#971d45", + "touched": true, + "type": "colorCode" + }, + { + "colorCode": "#2f8ce2", + "touched": false, + "type": "colorCode" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c40b1d67-8d61-453a-a436-aa99ea61cc06", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "9b138a5d-7c4e-4475-af7b-ce4cd2df3778", + "xAccessor": "808849c3-9058-41a9-a41b-c1fc6050cf5c" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2b540711-4ead-413a-8b4a-9c1aee1f432a", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "2b540711-4ead-413a-8b4a-9c1aee1f432a", + "title": "Volume of DNS Requests over time[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-41d11af3-009b-45ce-b2b4-70cdc656b927", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "41d11af3-009b-45ce-b2b4-70cdc656b927": { + "columnOrder": [ + "b9bb62e1-70d3-45ef-94d9-558f15f16eb1", + "d6d7ae23-8da4-48da-a732-985ff7e5dfbe" + ], + "columns": { + "b9bb62e1-70d3-45ef-94d9-558f15f16eb1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top DNS Queried", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d6d7ae23-8da4-48da-a732-985ff7e5dfbe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_query" + }, + "d6d7ae23-8da4-48da-a732-985ff7e5dfbe": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d6d7ae23-8da4-48da-a732-985ff7e5dfbe" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "41d11af3-009b-45ce-b2b4-70cdc656b927", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "b9bb62e1-70d3-45ef-94d9-558f15f16eb1", + "yConfig": [ + { + "color": "#ea6245", + "forAccessor": "d6d7ae23-8da4-48da-a732-985ff7e5dfbe" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "aea6907c-059a-4596-b3c6-9d2582bc2fbf", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "aea6907c-059a-4596-b3c6-9d2582bc2fbf", + "title": "Top DNS Queried[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-58ebbf18-0dda-49c2-ae26-1a96bb76a444", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "466e4764-4008-4351-ba5e-74939f3168ae", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "58ebbf18-0dda-49c2-ae26-1a96bb76a444": { + "columnOrder": [ + "c1388b2a-2604-444e-8e04-59993952791f", + "9d3fcd6c-d42c-4d83-a55d-8a10cd8dc7b8", + "df26beb3-26ab-4613-910f-d9bea054c1ca" + ], + "columns": { + "9d3fcd6c-d42c-4d83-a55d-8a10cd8dc7b8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c1388b2a-2604-444e-8e04-59993952791f": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Top DNS Servers", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "df26beb3-26ab-4613-910f-d9bea054c1ca", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "df26beb3-26ab-4613-910f-d9bea054c1ca": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.dns_query", + "index": "466e4764-4008-4351-ba5e-74939f3168ae", + "key": "gigamon.ami.dns_query", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "gigamon.ami.dns_query" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "df26beb3-26ab-4613-910f-d9bea054c1ca" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "kibana_v7_legacy", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "58ebbf18-0dda-49c2-ae26-1a96bb76a444", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "c1388b2a-2604-444e-8e04-59993952791f", + "xAccessor": "9d3fcd6c-d42c-4d83-a55d-8a10cd8dc7b8" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "0121fd10-c2b4-472a-bcd8-148d3e9589e2", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "0121fd10-c2b4-472a-bcd8-148d3e9589e2", + "title": "Top DNS Servers with Volume of Responses[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-4f46c7d1-cd26-40ef-bea2-a17023767382", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "abf73eef-11dd-4f79-8e5d-ab518aa8bbc7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4f46c7d1-cd26-40ef-bea2-a17023767382": { + "columnOrder": [ + "0c34fe27-186d-4fc9-a2ca-01bcadd6e9b8", + "780561c4-ac1d-46d0-9ed8-cafb63375024", + "cb01d789-d4ca-4ade-a3ee-ecc8b1944ccf" + ], + "columns": { + "0c34fe27-186d-4fc9-a2ca-01bcadd6e9b8": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "DNS Clients", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "cb01d789-d4ca-4ade-a3ee-ecc8b1944ccf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "780561c4-ac1d-46d0-9ed8-cafb63375024": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cb01d789-d4ca-4ade-a3ee-ecc8b1944ccf": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.dns_query", + "index": "abf73eef-11dd-4f79-8e5d-ab518aa8bbc7", + "key": "gigamon.ami.dns_query", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "gigamon.ami.dns_query" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "accessors": [ + "cb01d789-d4ca-4ade-a3ee-ecc8b1944ccf" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "elastic_brand_2023", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4f46c7d1-cd26-40ef-bea2-a17023767382", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "0c34fe27-186d-4fc9-a2ca-01bcadd6e9b8", + "xAccessor": "780561c4-ac1d-46d0-9ed8-cafb63375024" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "b97357d2-ccbf-4968-a18c-b5417b1d2823", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "b97357d2-ccbf-4968-a18c-b5417b1d2823", + "title": "Volume of DNS requests by Clients[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-3d66f06d-227d-4b54-a0d8-9a892b2d8163", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "82a0bf64-7149-422f-989a-ffbfaf939c8f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3d66f06d-227d-4b54-a0d8-9a892b2d8163": { + "columnOrder": [ + "942cb853-c6ee-43ad-aa16-2f1f29682db3", + "d67e6f48-7985-4bb2-a46c-87e1af538e26" + ], + "columns": { + "942cb853-c6ee-43ad-aa16-2f1f29682db3": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Top DNS Clients", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d67e6f48-7985-4bb2-a46c-87e1af538e26", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "d67e6f48-7985-4bb2-a46c-87e1af538e26": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "gigamon.ami.dns_query", + "index": "82a0bf64-7149-422f-989a-ffbfaf939c8f", + "key": "gigamon.ami.dns_query", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "gigamon.ami.dns_query" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "3d66f06d-227d-4b54-a0d8-9a892b2d8163", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "d67e6f48-7985-4bb2-a46c-87e1af538e26" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "942cb853-c6ee-43ad-aa16-2f1f29682db3" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "13499553-67bc-4664-8afc-09dac2c5ff7a", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "13499553-67bc-4664-8afc-09dac2c5ff7a", + "title": "Top DNS Clients[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-ab8e599f-a4ab-40ee-9c6e-55a3851d9943", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "ab8e599f-a4ab-40ee-9c6e-55a3851d9943": { + "columnOrder": [ + "fc6cd8aa-e32f-4a01-9554-bd816cba04dc", + "ae7e9e83-c203-4c0c-b77b-8f6dbe61ede8" + ], + "columns": { + "ae7e9e83-c203-4c0c-b77b-8f6dbe61ede8": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "fc6cd8aa-e32f-4a01-9554-bd816cba04dc": { + "dataType": "string", + "isBucketed": true, + "label": "Top 20 values of gigamon.ami.dns_query", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ae7e9e83-c203-4c0c-b77b-8f6dbe61ede8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_query" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "sort": "desc", + "steps": [ + { + "colorIndex": 5, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + }, + { + "colorIndex": 3, + "paletteId": "eui_amsterdam_color_blind", + "touched": true, + "type": "categorical" + }, + { + "colorIndex": 4, + "paletteId": "eui_amsterdam_color_blind", + "touched": false, + "type": "categorical" + } + ], + "type": "gradient" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "ab8e599f-a4ab-40ee-9c6e-55a3851d9943", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "ae7e9e83-c203-4c0c-b77b-8f6dbe61ede8" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "fc6cd8aa-e32f-4a01-9554-bd816cba04dc" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "9ec9a432-43ba-4cd6-bfb5-85ad1b150839", + "w": 24, + "x": 0, + "y": 51 + }, + "panelIndex": "9ec9a432-43ba-4cd6-bfb5-85ad1b150839", + "title": "Top 20 DNS Lookups[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-721b569c-a91b-4f80-93cd-e3249af588b1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "721b569c-a91b-4f80-93cd-e3249af588b1": { + "columnOrder": [ + "a9f0f635-a19e-4461-b093-5d305be6d91f", + "9e637159-00e0-400d-8ccf-c846efeaf76e", + "a4f7d6e2-b711-4748-bb52-02be676203d0", + "1a9fbe24-b7e5-4155-bc77-3cd66c0c4d47" + ], + "columns": { + "1a9fbe24-b7e5-4155-bc77-3cd66c0c4d47": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9e637159-00e0-400d-8ccf-c846efeaf76e": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Dst ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1a9fbe24-b7e5-4155-bc77-3cd66c0c4d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "a4f7d6e2-b711-4748-bb52-02be676203d0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Query type value", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1a9fbe24-b7e5-4155-bc77-3cd66c0c4d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_query_type_value" + }, + "a9f0f635-a19e-4461-b093-5d305be6d91f": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Src ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1a9fbe24-b7e5-4155-bc77-3cd66c0c4d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "a9f0f635-a19e-4461-b093-5d305be6d91f", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "9e637159-00e0-400d-8ccf-c846efeaf76e", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "a4f7d6e2-b711-4748-bb52-02be676203d0", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "1a9fbe24-b7e5-4155-bc77-3cd66c0c4d47", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "721b569c-a91b-4f80-93cd-e3249af588b1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4b139b4f-b643-4953-865a-faec3dd2fea2", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "4b139b4f-b643-4953-865a-faec3dd2fea2", + "title": "DNS Query type[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-df034b2d-ce2a-4ece-a173-bf8b998f4aaf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "df034b2d-ce2a-4ece-a173-bf8b998f4aaf": { + "columnOrder": [ + "c4b650de-63a3-4de7-9911-84d8be7df467", + "eeca0cbf-3fe4-47af-97ad-0c46dc0019bd", + "02f8526b-3705-4c0a-b796-28afeae062b7", + "4efe9389-66a0-4e67-a706-ef5ca81fda2c", + "6e5c57e0-2a6e-4cff-85db-2997f4c3c80d", + "94e83583-4492-4535-9b0f-4beb6e81b6a7", + "3e8b0dbb-ac77-43f8-b087-be4e48425c35" + ], + "columns": { + "02f8526b-3705-4c0a-b796-28afeae062b7": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "DNS Client", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3e8b0dbb-ac77-43f8-b087-be4e48425c35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "3e8b0dbb-ac77-43f8-b087-be4e48425c35": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "4efe9389-66a0-4e67-a706-ef5ca81fda2c": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "DNS Server", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3e8b0dbb-ac77-43f8-b087-be4e48425c35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "6e5c57e0-2a6e-4cff-85db-2997f4c3c80d": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "DNS ttl", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3e8b0dbb-ac77-43f8-b087-be4e48425c35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_ttl" + }, + "94e83583-4492-4535-9b0f-4beb6e81b6a7": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "DNS Response time", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3e8b0dbb-ac77-43f8-b087-be4e48425c35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_response_time" + }, + "c4b650de-63a3-4de7-9911-84d8be7df467": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "DNS Query", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3e8b0dbb-ac77-43f8-b087-be4e48425c35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_query" + }, + "eeca0cbf-3fe4-47af-97ad-0c46dc0019bd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "DNS Host Address", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3e8b0dbb-ac77-43f8-b087-be4e48425c35", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_host_addr" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "c4b650de-63a3-4de7-9911-84d8be7df467", + "isTransposed": false + }, + { + "columnId": "eeca0cbf-3fe4-47af-97ad-0c46dc0019bd", + "isTransposed": false + }, + { + "columnId": "02f8526b-3705-4c0a-b796-28afeae062b7", + "isTransposed": false + }, + { + "columnId": "4efe9389-66a0-4e67-a706-ef5ca81fda2c", + "isTransposed": false + }, + { + "columnId": "3e8b0dbb-ac77-43f8-b087-be4e48425c35", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "6e5c57e0-2a6e-4cff-85db-2997f4c3c80d", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "94e83583-4492-4535-9b0f-4beb6e81b6a7", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "df034b2d-ce2a-4ece-a173-bf8b998f4aaf", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d4d86252-0126-4f94-a270-281277c80c7e", + "w": 24, + "x": 0, + "y": 66 + }, + "panelIndex": "d4d86252-0126-4f94-a270-281277c80c7e", + "title": "DNS Query and Name Resolution Info[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-fde7f29c-0218-4d7a-9717-9e49997f51c2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "fde7f29c-0218-4d7a-9717-9e49997f51c2": { + "columnOrder": [ + "3eccac2d-5992-4a84-838c-643774797be0", + "6531768c-1c50-4e9e-a028-b455265f610e", + "ace39ea3-9667-4818-be43-dfd0b6969e20", + "ba2faf3d-9d2e-403f-8052-9cad4e664083" + ], + "columns": { + "3eccac2d-5992-4a84-838c-643774797be0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Src ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ba2faf3d-9d2e-403f-8052-9cad4e664083", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "6531768c-1c50-4e9e-a028-b455265f610e": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Dst ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ba2faf3d-9d2e-403f-8052-9cad4e664083", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "ace39ea3-9667-4818-be43-dfd0b6969e20": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Reply code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ba2faf3d-9d2e-403f-8052-9cad4e664083", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dns_reply_code_value" + }, + "ba2faf3d-9d2e-403f-8052-9cad4e664083": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "3eccac2d-5992-4a84-838c-643774797be0", + "isTransposed": false + }, + { + "columnId": "6531768c-1c50-4e9e-a028-b455265f610e", + "isTransposed": false + }, + { + "columnId": "ace39ea3-9667-4818-be43-dfd0b6969e20", + "isTransposed": false + }, + { + "columnId": "ba2faf3d-9d2e-403f-8052-9cad4e664083", + "hidden": true, + "isTransposed": false + } + ], + "layerId": "fde7f29c-0218-4d7a-9717-9e49997f51c2", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d04b750f-714b-4ade-b946-3f3f5a230bce", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "d04b750f-714b-4ade-b946-3f3f5a230bce", + "title": "DNS Reply type[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] DNS Information", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:09:57.477Z", + "id": "gigamon-e192a946-8287-450a-a8f0-e23de9f95dae", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "2b540711-4ead-413a-8b4a-9c1aee1f432a:indexpattern-datasource-layer-c40b1d67-8d61-453a-a436-aa99ea61cc06", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "aea6907c-059a-4596-b3c6-9d2582bc2fbf:indexpattern-datasource-layer-41d11af3-009b-45ce-b2b4-70cdc656b927", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "0121fd10-c2b4-472a-bcd8-148d3e9589e2:indexpattern-datasource-layer-58ebbf18-0dda-49c2-ae26-1a96bb76a444", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "0121fd10-c2b4-472a-bcd8-148d3e9589e2:466e4764-4008-4351-ba5e-74939f3168ae", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "b97357d2-ccbf-4968-a18c-b5417b1d2823:indexpattern-datasource-layer-4f46c7d1-cd26-40ef-bea2-a17023767382", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "b97357d2-ccbf-4968-a18c-b5417b1d2823:abf73eef-11dd-4f79-8e5d-ab518aa8bbc7", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "13499553-67bc-4664-8afc-09dac2c5ff7a:indexpattern-datasource-layer-3d66f06d-227d-4b54-a0d8-9a892b2d8163", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "13499553-67bc-4664-8afc-09dac2c5ff7a:82a0bf64-7149-422f-989a-ffbfaf939c8f", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "9ec9a432-43ba-4cd6-bfb5-85ad1b150839:indexpattern-datasource-layer-ab8e599f-a4ab-40ee-9c6e-55a3851d9943", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "4b139b4f-b643-4953-865a-faec3dd2fea2:indexpattern-datasource-layer-721b569c-a91b-4f80-93cd-e3249af588b1", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "d4d86252-0126-4f94-a270-281277c80c7e:indexpattern-datasource-layer-df034b2d-ce2a-4ece-a173-bf8b998f4aaf", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "d04b750f-714b-4ade-b946-3f3f5a230bce:indexpattern-datasource-layer-fde7f29c-0218-4d7a-9717-9e49997f51c2", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/kibana/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3.json b/packages/gigamon/kibana/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3.json new file mode 100644 index 00000000000..5ddbe0bd66b --- /dev/null +++ b/packages/gigamon/kibana/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3.json @@ -0,0 +1,1342 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**AMI Starter Pack**\n\n- [App Insights](#/dashboard/gigamon-855a64dc-1a72-403f-932b-a5b848378f7e)\n- Trouble shooting\n - [**Troubleshooting Insights for Network traffic**](#/dashboard/gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3)\n - [Top Traffic Sources and Destinations](#/dashboard/gigamon-d6cecabb-f026-4823-914d-b4d61fd61787)\n- [Security Posture](#/dashboard/gigamon-4ae2cd9a-3eef-42c6-a02c-731ce74d94ac)\n- Identifier Analysis\n - [Homoglyph Detection](#/dashboard/gigamon-64ca15b3-8327-4940-8b35-0e75ab3a73c6)\n - [URL Analysis](#/dashboard/gigamon-8f772203-64e0-4d1b-bb0e-14fa57b4b754)\n- M21-31\n - [Web Traffic Details](#/dashboard/gigamon-d866be49-47b2-4306-a2be-d5cb6b6ab9c8)\n - [DNS Information](#/dashboard/gigamon-e192a946-8287-450a-a8f0-e23de9f95dae)\n- Rogue Activity\n - [Unsanctioned Peer to Peer Apps](#/dashboard/gigamon-3523b534-7525-44a7-808f-6a9f3235a67d)\n- [PCI Compliance](#/dashboard/gigamon-032aab7b-87b2-444c-8c86-956d092598fb)\n- Suspicious Activities\n - [Suspicious Connections](#/dashboard/gigamon-62291e9e-8b75-4f23-9121-79959da99b3b)\n - [Unmanaged Endpoints](#/dashboard/gigamon-46931a21-a33e-43af-aadf-da8d6446b9cc)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "48bee0e5-2c0b-402f-aad2-d109482c8f2b", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "48bee0e5-2c0b-402f-aad2-d109482c8f2b", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-5ccdb314-f7d5-4e07-9da8-deec1f9e87bf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5ccdb314-f7d5-4e07-9da8-deec1f9e87bf": { + "columnOrder": [ + "70a483ba-bcfe-48a0-aa40-4131f1dec8e5", + "625ddbd7-3cdd-439b-8e5b-db9ee6fac426", + "e32792b6-ba88-4a3c-b79b-29aca09b1d6c", + "db087f3b-b8da-4938-b07c-a47d953d2bae", + "27e19327-2ca3-4498-b0cf-6cea45866c75" + ], + "columns": { + "27e19327-2ca3-4498-b0cf-6cea45866c75": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "625ddbd7-3cdd-439b-8e5b-db9ee6fac426": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Server", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "27e19327-2ca3-4498-b0cf-6cea45866c75", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "70a483ba-bcfe-48a0-aa40-4131f1dec8e5": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Client", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "27e19327-2ca3-4498-b0cf-6cea45866c75", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "db087f3b-b8da-4938-b07c-a47d953d2bae": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Server Latency", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "27e19327-2ca3-4498-b0cf-6cea45866c75", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.tcp_rtt_app" + }, + "e32792b6-ba88-4a3c-b79b-29aca09b1d6c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "27e19327-2ca3-4498-b0cf-6cea45866c75", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "70a483ba-bcfe-48a0-aa40-4131f1dec8e5", + "isTransposed": false + }, + { + "columnId": "625ddbd7-3cdd-439b-8e5b-db9ee6fac426", + "isTransposed": false + }, + { + "columnId": "e32792b6-ba88-4a3c-b79b-29aca09b1d6c", + "isTransposed": false + }, + { + "columnId": "db087f3b-b8da-4938-b07c-a47d953d2bae", + "isTransposed": false + }, + { + "columnId": "27e19327-2ca3-4498-b0cf-6cea45866c75", + "hidden": true, + "isTransposed": false + } + ], + "layerId": "5ccdb314-f7d5-4e07-9da8-deec1f9e87bf", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Application response time of the server", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "c3ac490a-3407-4c20-81ee-5e7b72cd7644", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "c3ac490a-3407-4c20-81ee-5e7b72cd7644", + "title": "Server Latency[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-40542048-bf27-455d-8ace-4cfeec0547cf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "40542048-bf27-455d-8ace-4cfeec0547cf": { + "columnOrder": [ + "5f34c17c-7b3b-4256-93b7-ddf5e41d7df4", + "f2f6b6f3-0c7c-41bb-9be5-531537209c28", + "db6e80c9-0060-41d7-a63e-a2ed17ae2e8f", + "e3f2c762-3b9e-488c-83fa-d9e2bdd9e7d3" + ], + "columns": { + "5f34c17c-7b3b-4256-93b7-ddf5e41d7df4": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e3f2c762-3b9e-488c-83fa-d9e2bdd9e7d3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "db6e80c9-0060-41d7-a63e-a2ed17ae2e8f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Tcp Flag Reset", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e3f2c762-3b9e-488c-83fa-d9e2bdd9e7d3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.tcp_flag_reset" + }, + "e3f2c762-3b9e-488c-83fa-d9e2bdd9e7d3": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f2f6b6f3-0c7c-41bb-9be5-531537209c28": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e3f2c762-3b9e-488c-83fa-d9e2bdd9e7d3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "5f34c17c-7b3b-4256-93b7-ddf5e41d7df4", + "isTransposed": false + }, + { + "columnId": "f2f6b6f3-0c7c-41bb-9be5-531537209c28", + "isTransposed": false + }, + { + "columnId": "db6e80c9-0060-41d7-a63e-a2ed17ae2e8f", + "isTransposed": false + }, + { + "columnId": "e3f2c762-3b9e-488c-83fa-d9e2bdd9e7d3", + "hidden": true, + "isTransposed": false + } + ], + "layerId": "40542048-bf27-455d-8ace-4cfeec0547cf", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Session info that are experiencing an abrupt end to a tcp connection, due to some error.", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "b07089af-c0bf-453a-8f75-3da528c947f7", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "b07089af-c0bf-453a-8f75-3da528c947f7", + "title": "TCP Resets (aborts)[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-c3f5a560-d315-4963-9020-22bfb2a43957", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "layers": { + "c3f5a560-d315-4963-9020-22bfb2a43957": { + "columnOrder": [ + "295e8196-b59f-4980-811a-9e7150e86527", + "b9e58b9f-9c15-409e-823c-630483c7bd51" + ], + "columns": { + "295e8196-b59f-4980-811a-9e7150e86527": { + "dataType": "ip", + "isBucketed": true, + "label": "Top 10 values of gigamon.ami.dst_ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b9e58b9f-9c15-409e-823c-630483c7bd51", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "b9e58b9f-9c15-409e-823c-630483c7bd51": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" and gigamon.ami.tcp_rtt \u003e 2" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b9e58b9f-9c15-409e-823c-630483c7bd51" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c3f5a560-d315-4963-9020-22bfb2a43957", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "295e8196-b59f-4980-811a-9e7150e86527", + "yConfig": [ + { + "color": "#ef7e66", + "forAccessor": "b9e58b9f-9c15-409e-823c-630483c7bd51" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "20a5f52f-3dc0-48d5-8f60-1bbdf657b49e", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "20a5f52f-3dc0-48d5-8f60-1bbdf657b49e", + "title": "Top 10 worst performing Servers[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-4075f59d-f023-4b0d-945c-bf1a5dcee87f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4075f59d-f023-4b0d-945c-bf1a5dcee87f": { + "columnOrder": [ + "14402eab-4b1c-471d-bff8-b9f84059535c", + "5f5e56b6-6e64-4705-8223-c8b8290e3155", + "1a3820b2-bb16-4f38-8757-c5b744efba72", + "5210a4e8-9425-44b9-8bcd-04ce3cb548d6" + ], + "columns": { + "14402eab-4b1c-471d-bff8-b9f84059535c": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Client", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5210a4e8-9425-44b9-8bcd-04ce3cb548d6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "1a3820b2-bb16-4f38-8757-c5b744efba72": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Http Response Time", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5210a4e8-9425-44b9-8bcd-04ce3cb548d6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.http_response_ts" + }, + "5210a4e8-9425-44b9-8bcd-04ce3cb548d6": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5f5e56b6-6e64-4705-8223-c8b8290e3155": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Server", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5210a4e8-9425-44b9-8bcd-04ce3cb548d6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "14402eab-4b1c-471d-bff8-b9f84059535c", + "isTransposed": false + }, + { + "columnId": "1a3820b2-bb16-4f38-8757-c5b744efba72", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "5f5e56b6-6e64-4705-8223-c8b8290e3155", + "isTransposed": false + }, + { + "columnId": "5210a4e8-9425-44b9-8bcd-04ce3cb548d6", + "hidden": true, + "isTransposed": false + } + ], + "layerId": "4075f59d-f023-4b0d-945c-bf1a5dcee87f", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "730c317d-8817-466a-9219-fdab1bf7b810", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "730c317d-8817-466a-9219-fdab1bf7b810", + "title": "Slow performing Applications [Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-c0c6f334-8d4e-4cb8-939d-df6c7a549561", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c0c6f334-8d4e-4cb8-939d-df6c7a549561": { + "columnOrder": [ + "0bd0279a-6bc5-4827-9428-1c1bfb16603a", + "04ea5c1a-cac9-45d7-9556-308a138da8be", + "1f72bf44-7a79-4471-9a32-312af7167537", + "5ecbc989-6b77-4e1f-ad0e-bf4d07b65714", + "044818b1-5ce8-4dc6-8e7a-2df1decaf94d" + ], + "columns": { + "044818b1-5ce8-4dc6-8e7a-2df1decaf94d": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "04ea5c1a-cac9-45d7-9556-308a138da8be": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Server", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "044818b1-5ce8-4dc6-8e7a-2df1decaf94d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "0bd0279a-6bc5-4827-9428-1c1bfb16603a": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Client", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "044818b1-5ce8-4dc6-8e7a-2df1decaf94d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 23 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "1f72bf44-7a79-4471-9a32-312af7167537": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Applicatio", + "operationType": "terms", + "params": { + "exclude": [ + "Classification-unknown" + ], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "044818b1-5ce8-4dc6-8e7a-2df1decaf94d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + }, + "5ecbc989-6b77-4e1f-ad0e-bf4d07b65714": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "tcp_rtt", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "044818b1-5ce8-4dc6-8e7a-2df1decaf94d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.tcp_rtt" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "0bd0279a-6bc5-4827-9428-1c1bfb16603a", + "isTransposed": false + }, + { + "columnId": "04ea5c1a-cac9-45d7-9556-308a138da8be", + "isTransposed": false + }, + { + "columnId": "1f72bf44-7a79-4471-9a32-312af7167537", + "isTransposed": false + }, + { + "columnId": "5ecbc989-6b77-4e1f-ad0e-bf4d07b65714", + "isTransposed": false + }, + { + "columnId": "044818b1-5ce8-4dc6-8e7a-2df1decaf94d", + "isTransposed": false + } + ], + "layerId": "c0c6f334-8d4e-4cb8-939d-df6c7a549561", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Sessions with respective TCP Rtt", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "8fa462dc-65b1-446d-bd57-5868edf3354c", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "8fa462dc-65b1-446d-bd57-5868edf3354c", + "title": "Network Latency[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-0034057d-bfb0-459f-869b-385f354ed921", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0034057d-bfb0-459f-869b-385f354ed921": { + "columnOrder": [ + "81fa6a5f-54a7-4a5a-9cc7-4b4be037eff2", + "20342d3b-3f52-476a-8946-3cff1fd5e7c0", + "f65f13e8-5312-4556-bf19-334fa869d5ce", + "bc928793-04bf-4bac-a276-f8b278ef6634", + "2527cb20-7d62-4b73-afda-4ca29ad366f9" + ], + "columns": { + "20342d3b-3f52-476a-8946-3cff1fd5e7c0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2527cb20-7d62-4b73-afda-4ca29ad366f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.dst_ip" + }, + "2527cb20-7d62-4b73-afda-4ca29ad366f9": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "81fa6a5f-54a7-4a5a-9cc7-4b4be037eff2": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2527cb20-7d62-4b73-afda-4ca29ad366f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.src_ip" + }, + "bc928793-04bf-4bac-a276-f8b278ef6634": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Lost Bytes", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2527cb20-7d62-4b73-afda-4ca29ad366f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.tcp_loss_count" + }, + "f65f13e8-5312-4556-bf19-334fa869d5ce": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2527cb20-7d62-4b73-afda-4ca29ad366f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "gigamon.ami.app_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "columns": [ + { + "columnId": "81fa6a5f-54a7-4a5a-9cc7-4b4be037eff2", + "isTransposed": false + }, + { + "columnId": "f65f13e8-5312-4556-bf19-334fa869d5ce", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "20342d3b-3f52-476a-8946-3cff1fd5e7c0", + "isTransposed": false + }, + { + "columnId": "2527cb20-7d62-4b73-afda-4ca29ad366f9", + "isTransposed": false + }, + { + "columnId": "bc928793-04bf-4bac-a276-f8b278ef6634", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "0034057d-bfb0-459f-869b-385f354ed921", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Session info that is experiencing lost data bytes", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a6629af9-b16e-44d4-bd77-1dfb1edb8a75", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "a6629af9-b16e-44d4-bd77-1dfb1edb8a75", + "title": "Lost Data[Gigamon AMI]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "indexpattern-datasource-layer-3b42ba9f-0144-427f-8fc7-822db62260ef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3b42ba9f-0144-427f-8fc7-822db62260ef": { + "columnOrder": [ + "2de123af-ddac-4104-8d2e-515803cb2899" + ], + "columns": { + "2de123af-ddac-4104-8d2e-515803cb2899": { + "dataType": "number", + "isBucketed": false, + "label": "Average of gigamon.ami.dns_response_time", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "compact": false, + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "gigamon.ami.dns_response_time" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"gigamon.ami\" " + }, + "visualization": { + "colorMode": "palette", + "labelMajorMode": "auto", + "layerId": "3b42ba9f-0144-427f-8fc7-822db62260ef", + "layerType": "data", + "metricAccessor": "2de123af-ddac-4104-8d2e-515803cb2899", + "palette": { + "name": "temperature", + "params": { + "continuity": "above", + "maxSteps": 5, + "name": "temperature", + "progression": "fixed", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#6092C080", + "stop": 1.33 + }, + { + "color": "#EBEFF580", + "stop": 2.66 + }, + { + "color": "#E7664C80", + "stop": 4 + } + ] + }, + "type": "palette" + }, + "shape": "verticalBullet", + "ticksPosition": "bands" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsGauge" + }, + "description": "Time it takes for sending a DNS query and getting a DNS response back", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "735f65bf-40c1-4b14-bec9-a2d07ad726a7", + "w": 24, + "x": 0, + "y": 51 + }, + "panelIndex": "735f65bf-40c1-4b14-bec9-a2d07ad726a7", + "title": "Average DNS Response time on the network[Gigamon AMI]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Gigamon] Troubleshooting Insights for Network traffic", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-21T10:03:21.142Z", + "id": "gigamon-e733c64e-6ea9-4dd6-a8ca-3914274598f3", + "managed": false, + "references": [ + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "c3ac490a-3407-4c20-81ee-5e7b72cd7644:indexpattern-datasource-layer-5ccdb314-f7d5-4e07-9da8-deec1f9e87bf", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "b07089af-c0bf-453a-8f75-3da528c947f7:indexpattern-datasource-layer-40542048-bf27-455d-8ace-4cfeec0547cf", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "20a5f52f-3dc0-48d5-8f60-1bbdf657b49e:indexpattern-datasource-layer-c3f5a560-d315-4963-9020-22bfb2a43957", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "730c317d-8817-466a-9219-fdab1bf7b810:indexpattern-datasource-layer-4075f59d-f023-4b0d-945c-bf1a5dcee87f", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "8fa462dc-65b1-446d-bd57-5868edf3354c:indexpattern-datasource-layer-c0c6f334-8d4e-4cb8-939d-df6c7a549561", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "a6629af9-b16e-44d4-bd77-1dfb1edb8a75:indexpattern-datasource-layer-0034057d-bfb0-459f-869b-385f354ed921", + "type": "index-pattern" + }, + { + "id": "e3f451b1-4c23-4305-bcbf-0bc812d1ba07", + "name": "735f65bf-40c1-4b14-bec9-a2d07ad726a7:indexpattern-datasource-layer-3b42ba9f-0144-427f-8fc7-822db62260ef", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/gigamon/manifest.yml b/packages/gigamon/manifest.yml new file mode 100644 index 00000000000..802c42ab8bb --- /dev/null +++ b/packages/gigamon/manifest.yml @@ -0,0 +1,68 @@ +format_version: 3.1.3 +name: gigamon +title: Gigamon +version: "0.1.0" +description: "This Gigamon package integrates with Filebeat to collect and ingest data from Gigamon devices" +type: integration +categories: + - custom + - security + - network +conditions: + kibana: + version: "^8.13.0" + elastic: + subscription: "basic" +screenshots: + - src: /img/App_Insights_Dashboard.png + title: Gigamon App Insight Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/Identifier_Analysis_Dashboard.png + title: Gigamon Identifier Analysis Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/M21-31_Dashboard.png + title: Gigamon M21-31 Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/PCI_Compliance_Dashboard.png + title: Gigamon PCI Compliance Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/Rogue_Activity_Dashboard.png + title: Gigamon Rogue Activity Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/Security_Posture_Dashboard.png + title: Gigamon Security Posture Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/Troubleshooting_Dashboard.png + title: Gigamon Troubleshooting Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/Suspicious_Activity_Dashboard.png + title: Gigamon Suspicious Activity Dashboard Screenshot + size: 600x600 +icons: + - src: /img/gigamon-logo.svg + title: Gigamon logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: gigamon + title: Gigamon AMI json + description: Collect json data from Gigamon AMI + inputs: + - type: http_endpoint + title: Collect json data from Gigamon AMI via HTTP Endpoint + description: Collect json data from Gigamon AMI via HTTP Endpoint + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for http endpoint connections. Set to '0.0.0.0' to bind to all available interfaces. +owner: + github: elastic/security-service-integrations + type: partner diff --git a/packages/gigamon/validation.yml b/packages/gigamon/validation.yml new file mode 100644 index 00000000000..20bae6630d4 --- /dev/null +++ b/packages/gigamon/validation.yml @@ -0,0 +1,4 @@ +errors: + exclude_checks: + - SVR00002 # Kibana version for saved tags. + - SVR00004 # References in dashboards. diff --git a/packages/kubernetes/_dev/build/docs/README.md b/packages/kubernetes/_dev/build/docs/README.md index b86aa71ec92..9b98e7932e6 100644 --- a/packages/kubernetes/_dev/build/docs/README.md +++ b/packages/kubernetes/_dev/build/docs/README.md @@ -108,7 +108,7 @@ This defaults to `/var/log/kubernetes/kube-apiserver-audit.log`. ## Compatibility -The Kubernetes package is tested with Kubernetes [1.27.x - 1.30.x] versions +The Kubernetes package is tested with Kubernetes [1.28.x - 1.31.x] versions ## Dashboard diff --git a/packages/kubernetes/changelog.yml b/packages/kubernetes/changelog.yml index 4001212e6a3..d9a45d4ead0 100644 --- a/packages/kubernetes/changelog.yml +++ b/packages/kubernetes/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: 1.66.4 + changes: + - description: Updating Cluster Overview Dashboard to use container.id as filter and replaced median functions from visualisations + type: bugfix + link: https://github.com/elastic/integrations/pull/10893 +- version: 1.66.3 + changes: + - description: Updating mapping of the field groups to keyword in kubernetes.audit_logs + type: enhancement + link: https://github.com/elastic/integrations/pull/10713 - version: 1.66.2 changes: - description: Fixing missing processor block in kubernetes.audit_logs diff --git a/packages/kubernetes/data_stream/audit_logs/fields/fields.yml b/packages/kubernetes/data_stream/audit_logs/fields/fields.yml index 58cace88bef..7890759a0a5 100644 --- a/packages/kubernetes/data_stream/audit_logs/fields/fields.yml +++ b/packages/kubernetes/data_stream/audit_logs/fields/fields.yml @@ -27,7 +27,7 @@ description: Authenticated user information fields: - name: groups - type: text + type: keyword description: The names of groups this user is a part of - name: username type: keyword @@ -47,7 +47,7 @@ description: Impersonated user information fields: - name: groups - type: text + type: keyword description: The names of groups this user is a part of - name: username type: keyword diff --git a/packages/kubernetes/docs/README.md b/packages/kubernetes/docs/README.md index ffaef3f0c80..bc4a2351779 100644 --- a/packages/kubernetes/docs/README.md +++ b/packages/kubernetes/docs/README.md @@ -108,7 +108,7 @@ This defaults to `/var/log/kubernetes/kube-apiserver-audit.log`. ## Compatibility -The Kubernetes package is tested with Kubernetes [1.27.x - 1.30.x] versions +The Kubernetes package is tested with Kubernetes [1.28.x - 1.31.x] versions ## Dashboard diff --git a/packages/kubernetes/docs/audit-logs.md b/packages/kubernetes/docs/audit-logs.md index a6b002f644d..9796abb2ac0 100644 --- a/packages/kubernetes/docs/audit-logs.md +++ b/packages/kubernetes/docs/audit-logs.md @@ -132,7 +132,7 @@ An example event for `audit` looks as following: | kubernetes.audit.apiVersion | Audit event api version | keyword | | kubernetes.audit.auditID | Unique audit ID, generated for each request | keyword | | kubernetes.audit.impersonatedUser.extra.\* | Any additional information provided by the authenticator | object | -| kubernetes.audit.impersonatedUser.groups | The names of groups this user is a part of | text | +| kubernetes.audit.impersonatedUser.groups | The names of groups this user is a part of | keyword | | kubernetes.audit.impersonatedUser.uid | A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs | keyword | | kubernetes.audit.impersonatedUser.username | The name that uniquely identifies this user among all active users | keyword | | kubernetes.audit.kind | Kind of the audit event | keyword | @@ -190,7 +190,7 @@ An example event for `audit` looks as following: | kubernetes.audit.stage | Stage of the request handling when this event instance was generated | keyword | | kubernetes.audit.stageTimestamp | Time the request reached current audit stage | date | | kubernetes.audit.user.extra.\* | Any additional information provided by the authenticator | object | -| kubernetes.audit.user.groups | The names of groups this user is a part of | text | +| kubernetes.audit.user.groups | The names of groups this user is a part of | keyword | | kubernetes.audit.user.uid | A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs | keyword | | kubernetes.audit.user.username | The name that uniquely identifies this user among all active users | keyword | | kubernetes.audit.userAgent | UserAgent records the user agent string reported by the client. Note that the UserAgent is provided by the client, and must not be trusted | text | diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json index c2f631c5c70..cca7bfd68ad 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json @@ -271,16 +271,21 @@ "118dfa8c-388e-430c-860f-ce84cf88ac39": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.cronjob.next_schedule.sec\": *" + }, "isBucketed": false, "label": "Epoch Time until Next Schedule(sec)", - "operationType": "median", + "operationType": "last_value", "params": { "format": { "id": "number", "params": { "decimals": 0 } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "kubernetes.cronjob.next_schedule.sec" diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json index e2cce545db9..d2ef7126929 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json @@ -95,7 +95,7 @@ "dataType": "number", "isBucketed": false, "label": "Volume Used %", - "operationType": "max", + "operationType": "average", "params": { "emptyAsNull": true, "format": { @@ -113,7 +113,7 @@ "dataType": "number", "isBucketed": false, "label": "Used Bytes", - "operationType": "max", + "operationType": "average", "params": { "emptyAsNull": true, "format": { @@ -183,7 +183,7 @@ "dataType": "number", "isBucketed": false, "label": "Volume Size", - "operationType": "median", + "operationType": "average", "params": { "emptyAsNull": true, "format": { diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json index 802637488e6..9286de8caee 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json @@ -741,17 +741,22 @@ "9b5ed643-7572-4d3b-a9af-6265b3a5a515": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.deployment.replicas.desired\": *" + }, "isBucketed": false, "label": "Replicas Desired", - "operationType": "median", + "operationType": "last_value", "params": { - "emptyAsNull": true + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "kubernetes.deployment.replicas.desired" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } } diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json index f14af90d7e7..a5c18fea819 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json @@ -687,11 +687,15 @@ "34892916-522d-4b2e-b286-a534475b34a1": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.daemonset.replicas.desired\": *" + }, "isBucketed": false, "label": "Replicas Desired", - "operationType": "median", + "operationType": "last_value", "params": { - "emptyAsNull": true + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "kubernetes.daemonset.replicas.desired" diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json b/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json index 213cf506b37..040568faf69 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json @@ -468,7 +468,7 @@ "7113c7e7-1af9-4350-b5d2-57abcb60c633": { "dataType": "string", "isBucketed": true, - "label": "Top 10000 values of kubernetes.container.name", + "label": "Top 10000 values of container.id", "operationType": "terms", "params": { "missingBucket": false, @@ -494,7 +494,7 @@ "size": 10000 }, "scale": "ordinal", - "sourceField": "kubernetes.container.name" + "sourceField": "container.id" }, "830de93b-4051-4716-99e4-83d625a91288": { "customLabel": true, @@ -950,7 +950,7 @@ "6677e92c-5874-49c1-979e-c16c0d3838cd": { "dataType": "string", "isBucketed": true, - "label": "Top 10000 values of kubernetes.container.name", + "label": "Top 10000 values of container.id", "operationType": "terms", "params": { "missingBucket": false, @@ -976,7 +976,7 @@ "size": 10000 }, "scale": "ordinal", - "sourceField": "kubernetes.container.name" + "sourceField": "container.id" } }, "incompleteColumns": {}, diff --git a/packages/kubernetes/manifest.yml b/packages/kubernetes/manifest.yml index 93b45b14a10..886e4697694 100644 --- a/packages/kubernetes/manifest.yml +++ b/packages/kubernetes/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: kubernetes title: Kubernetes -version: 1.66.2 +version: 1.66.4 description: Collect logs and metrics from Kubernetes clusters with Elastic Agent. type: integration categories: diff --git a/packages/mysql/changelog.yml b/packages/mysql/changelog.yml index 2959480a6eb..02bbe151663 100644 --- a/packages/mysql/changelog.yml +++ b/packages/mysql/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.25.0 + changes: + - description: Add `schemaname` field in the performance data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/10749 - version: 1.24.0 changes: - description: Add replica_status data stream. diff --git a/packages/mysql/data_stream/performance/elasticsearch/ingest_pipeline/default.yml b/packages/mysql/data_stream/performance/elasticsearch/ingest_pipeline/default.yml index 0b6605d7ea7..c9587f9f8fa 100644 --- a/packages/mysql/data_stream/performance/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mysql/data_stream/performance/elasticsearch/ingest_pipeline/default.yml @@ -17,7 +17,9 @@ processors: ctx.mysql.performance.events_statements.query = digest.text; - fingerprint: - fields: ["mysql.performance.events_statements.query"] + fields: + - mysql.performance.events_statements.query + - mysql.performance.events_statements.schemaname target_field: mysql.performance.events_statements.query_id ignore_failure: true ignore_missing: true diff --git a/packages/mysql/data_stream/performance/fields/fields.yml b/packages/mysql/data_stream/performance/fields/fields.yml index 9e3c110b980..50598e2ba0b 100644 --- a/packages/mysql/data_stream/performance/fields/fields.yml +++ b/packages/mysql/data_stream/performance/fields/fields.yml @@ -4,6 +4,10 @@ - name: events_statements type: group fields: + - name: schemaname + type: keyword + dimension: true + description: Alias for the database name within certain SQL statements. - name: query_id type: keyword # Reason to add as a dimension field: shows results based on queries. diff --git a/packages/mysql/manifest.yml b/packages/mysql/manifest.yml index 0b4772b053b..0e7192f2d36 100644 --- a/packages/mysql/manifest.yml +++ b/packages/mysql/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: mysql title: MySQL -version: "1.24.0" +version: "1.25.0" description: Collect logs and metrics from MySQL servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.14.0" + version: "^8.15.0" elastic: subscription: basic screenshots: diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index 8f744c24649..22d240edc5c 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.32.0" + changes: + - description: Set `map_to_ecs` to enabled by default + type: enhancement + link: https://github.com/elastic/integrations/pull/10785 - version: "1.31.0" changes: - description: Expose `with_vlans` and `ignore_outgoing` diff --git a/packages/network_traffic/data_stream/amqp/manifest.yml b/packages/network_traffic/data_stream/amqp/manifest.yml index 0bb2d7afa49..8ca763fcd24 100644 --- a/packages/network_traffic/data_stream/amqp/manifest.yml +++ b/packages/network_traffic/data_stream/amqp/manifest.yml @@ -130,6 +130,7 @@ streams: show_user: true multi: false required: false + default: true title: AMQP description: Capture AMQP Traffic template_path: amqp.yml.hbs diff --git a/packages/network_traffic/data_stream/cassandra/manifest.yml b/packages/network_traffic/data_stream/cassandra/manifest.yml index 7ba1ff6cc6d..36ffbd2daa8 100644 --- a/packages/network_traffic/data_stream/cassandra/manifest.yml +++ b/packages/network_traffic/data_stream/cassandra/manifest.yml @@ -117,6 +117,7 @@ streams: show_user: true multi: false required: false + default: true title: Cassandra description: Capture Cassandra Traffic template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/data_stream/dhcpv4/manifest.yml index 1aa7607adf5..94ac9799cb8 100644 --- a/packages/network_traffic/data_stream/dhcpv4/manifest.yml +++ b/packages/network_traffic/data_stream/dhcpv4/manifest.yml @@ -65,6 +65,7 @@ streams: show_user: true multi: false required: false + default: true title: DHCP description: Capture DHCP Traffic template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/data_stream/dns/manifest.yml b/packages/network_traffic/data_stream/dns/manifest.yml index c8f5a2f50de..5def63d5446 100644 --- a/packages/network_traffic/data_stream/dns/manifest.yml +++ b/packages/network_traffic/data_stream/dns/manifest.yml @@ -120,6 +120,7 @@ streams: show_user: true multi: false required: false + default: true title: DNS description: Capture DNS Traffic template_path: dns.yml.hbs diff --git a/packages/network_traffic/data_stream/flow/manifest.yml b/packages/network_traffic/data_stream/flow/manifest.yml index ed73beef964..7deac984815 100644 --- a/packages/network_traffic/data_stream/flow/manifest.yml +++ b/packages/network_traffic/data_stream/flow/manifest.yml @@ -65,3 +65,4 @@ streams: show_user: true multi: false required: false + default: true diff --git a/packages/network_traffic/data_stream/http/manifest.yml b/packages/network_traffic/data_stream/http/manifest.yml index 2ad867128c8..10fbc4846e7 100644 --- a/packages/network_traffic/data_stream/http/manifest.yml +++ b/packages/network_traffic/data_stream/http/manifest.yml @@ -190,6 +190,7 @@ streams: show_user: true multi: false required: false + default: true title: HTTP description: Capture HTTP Traffic template_path: http.yml.hbs diff --git a/packages/network_traffic/data_stream/icmp/manifest.yml b/packages/network_traffic/data_stream/icmp/manifest.yml index 5476bf1833d..4c150fe8866 100644 --- a/packages/network_traffic/data_stream/icmp/manifest.yml +++ b/packages/network_traffic/data_stream/icmp/manifest.yml @@ -58,3 +58,4 @@ streams: show_user: true multi: false required: false + default: true diff --git a/packages/network_traffic/data_stream/memcached/manifest.yml b/packages/network_traffic/data_stream/memcached/manifest.yml index 8bb55cbbbce..7a8447d27ba 100644 --- a/packages/network_traffic/data_stream/memcached/manifest.yml +++ b/packages/network_traffic/data_stream/memcached/manifest.yml @@ -141,6 +141,7 @@ streams: show_user: true multi: false required: false + default: true title: Memcached description: Capture Memcached Traffic template_path: memcached.yml.hbs diff --git a/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml b/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml index f3768b9668a..c429d18fd0d 100644 --- a/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml +++ b/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml @@ -4,5 +4,7 @@ input: packet numeric_keyword_fields: - mongodb.cursorId - mongodb.startingFrom + - network_traffic.mongodb.cursorId + - network_traffic.mongodb.startingFrom data_stream: vars: ~ diff --git a/packages/network_traffic/data_stream/mongodb/manifest.yml b/packages/network_traffic/data_stream/mongodb/manifest.yml index 0ac427c7089..0417d397ab9 100644 --- a/packages/network_traffic/data_stream/mongodb/manifest.yml +++ b/packages/network_traffic/data_stream/mongodb/manifest.yml @@ -111,6 +111,7 @@ streams: show_user: true multi: false required: false + default: true title: MongoDB description: Capture MongoDB Traffic template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/data_stream/mysql/manifest.yml b/packages/network_traffic/data_stream/mysql/manifest.yml index e6de4480a9b..34b106f3206 100644 --- a/packages/network_traffic/data_stream/mysql/manifest.yml +++ b/packages/network_traffic/data_stream/mysql/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: MySQL description: Capture MySQL Traffic template_path: mysql.yml.hbs diff --git a/packages/network_traffic/data_stream/nfs/manifest.yml b/packages/network_traffic/data_stream/nfs/manifest.yml index 279a6783ba6..7e150ddab0b 100644 --- a/packages/network_traffic/data_stream/nfs/manifest.yml +++ b/packages/network_traffic/data_stream/nfs/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: NFS description: Capture NFS Traffic template_path: nfs.yml.hbs diff --git a/packages/network_traffic/data_stream/pgsql/manifest.yml b/packages/network_traffic/data_stream/pgsql/manifest.yml index 4d03ad0cdb8..54986404131 100644 --- a/packages/network_traffic/data_stream/pgsql/manifest.yml +++ b/packages/network_traffic/data_stream/pgsql/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: PostgreSQL description: Capture PostgreSQL Traffic template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/data_stream/redis/manifest.yml b/packages/network_traffic/data_stream/redis/manifest.yml index b8d8042e004..f29675ff2d5 100644 --- a/packages/network_traffic/data_stream/redis/manifest.yml +++ b/packages/network_traffic/data_stream/redis/manifest.yml @@ -111,6 +111,7 @@ streams: show_user: true multi: false required: false + default: true title: Redis description: Capture Redis Traffic template_path: redis.yml.hbs diff --git a/packages/network_traffic/data_stream/sip/manifest.yml b/packages/network_traffic/data_stream/sip/manifest.yml index d465123ed08..6a8c120e376 100644 --- a/packages/network_traffic/data_stream/sip/manifest.yml +++ b/packages/network_traffic/data_stream/sip/manifest.yml @@ -86,6 +86,7 @@ streams: show_user: true multi: false required: false + default: true title: SIP description: Capture SIP Traffic template_path: sip.yml.hbs diff --git a/packages/network_traffic/data_stream/thrift/manifest.yml b/packages/network_traffic/data_stream/thrift/manifest.yml index e233a99a875..ff933e5c572 100644 --- a/packages/network_traffic/data_stream/thrift/manifest.yml +++ b/packages/network_traffic/data_stream/thrift/manifest.yml @@ -166,6 +166,7 @@ streams: show_user: true multi: false required: false + default: true title: Thrift description: Capture Thrift Traffic template_path: thrift.yml.hbs diff --git a/packages/network_traffic/data_stream/tls/manifest.yml b/packages/network_traffic/data_stream/tls/manifest.yml index 4eaebadfca0..565faccf81b 100644 --- a/packages/network_traffic/data_stream/tls/manifest.yml +++ b/packages/network_traffic/data_stream/tls/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: TLS description: Capture TLS Traffic template_path: tls.yml.hbs diff --git a/packages/network_traffic/manifest.yml b/packages/network_traffic/manifest.yml index b1d4aabe2b6..01aecf2675a 100644 --- a/packages/network_traffic/manifest.yml +++ b/packages/network_traffic/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: network_traffic title: Network Packet Capture -version: "1.31.0" +version: "1.32.0" description: Capture and analyze network traffic from a host with Elastic Agent. type: integration categories: diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index a0401eaa664..370696eaa38 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "4.0.2" + changes: + - description: Support optional syslog priority in messages + type: enhancement + link: https://github.com/elastic/integrations/pull/10863 - version: "4.0.1" changes: - description: Fix parsing bug for panw.panos.x_forwarded_for field diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log index dbad64cedc0..5c29c23e2b0 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log @@ -2,3 +2,5 @@ Apr 11 20:06:15 192.168.0.1 01111111111,2024/04/11 20:06:15,audit,2561,gui-op,su Apr 18 18:35:20 10.1.1.1 003001000000,2024/04/18 18:35:20,audit,2561,gui-op,Mustang,"all",success Apr 18 18:36:20 test-hostname 003001000000,2024/04/18 18:36:20,audit,2561,gui-op,Mustang,"all",success Apr 18 18:37:20 test-hostname.test.intra 003001000000,2024/04/18 18:37:20,audit,2561,gui-op,Mustang,"all",success +<190>Aug 6 15:45:10 10.1.1.1 013101009361,2024/08/06 15:45:10,audit,2561,gui-op,redact,"",success +<190>Aug 6 15:45:10 10.1.1.1 013101009361,2024/08/06 15:45:10,audit,2561,gui-op,redact,"",success diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json index e4d4034822e..5c02bfaf25c 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json @@ -167,6 +167,90 @@ "user": { "name": "Mustang" } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "<190>Aug 6 15:45:10 10.1.1.1 013101009361,2024/08/06 15:45:10,audit,2561,gui-op,redact,\"\",success", + "outcome": "success", + "timezone": "-04:00" + }, + "message": "2561,gui-op,redact,\"\",success", + "observer": { + "hostname": "10.1.1.1", + "product": "PAN-OS", + "serial_number": "013101009361", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "cmd": "", + "cmd_source": "gui-op", + "config_version": "2561", + "generated_time": "2024-08-06T15:45:10.000-04:00", + "type": "AUDIT" + } + }, + "related": { + "hosts": [ + "10.1.1.1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "redact" + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "<190>Aug 6 15:45:10 10.1.1.1 013101009361,2024/08/06 15:45:10,audit,2561,gui-op,redact,\"\",success", + "outcome": "success", + "timezone": "-04:00" + }, + "message": "2561,gui-op,redact,\"\",success", + "observer": { + "hostname": "10.1.1.1", + "product": "PAN-OS", + "serial_number": "013101009361", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "cmd": "", + "cmd_source": "gui-op", + "config_version": "2561", + "generated_time": "2024-08-06T15:45:10.000-04:00", + "type": "AUDIT" + } + }, + "related": { + "hosts": [ + "10.1.1.1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "redact" + } } ] } \ No newline at end of file diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml index effe4f6da00..7cef0168df6 100644 --- a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml +++ b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml @@ -30,7 +30,7 @@ processors: field: _temp_.message patterns: - "^%{DATA},%{TIMESTAMP:_temp_.received_time},%{FIELD:observer.serial_number},%{FIELD:panw.panos.type},(?:%{FIELD:panw.panos.sub_type})?,%{FIELD:_temp_.config_version},%{TIMESTAMP:_temp_.generated_time},%{GREEDYDATA:message}$" - - "^%{SYSLOGTIMESTAMP:_temp_.syslog_time} %{IPORHOST:observer.hostname} %{NOTSPACE:observer.serial_number},%{PANW_DATE:_temp_.generated_time},%{FIELD:panw.panos.type},%{GREEDYDATA:message}$" + - "^(?:<\\d+>)?%{SYSLOGTIMESTAMP:_temp_.syslog_time} %{IPORHOST:observer.hostname} %{NOTSPACE:observer.serial_number},%{PANW_DATE:_temp_.generated_time},%{FIELD:panw.panos.type},%{GREEDYDATA:message}$" pattern_definitions: TIMESTAMP: "%{PANW_DATE}|%{TIMESTAMP_ISO8601}" PANW_DATE: "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}" diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index 4996dd49ac8..db4e3243076 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,6 +1,6 @@ name: panw title: Palo Alto Next-Gen Firewall -version: "4.0.1" +version: "4.0.2" description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/panw_cortex_xdr/changelog.yml b/packages/panw_cortex_xdr/changelog.yml index cd747570324..0e8a14d85d4 100644 --- a/packages/panw_cortex_xdr/changelog.yml +++ b/packages/panw_cortex_xdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.0" + changes: + - description: Use Cortex XDR SIEM ingestion time for cursor progression. + type: enhancement + link: https://github.com/elastic/integrations/pull/10774 - version: "1.28.0" changes: - description: "Modify incident handling to match Defender for Endpoint. Change fingerprint, timestamp, and search cursor to modification_time. Add severity:critical." diff --git a/packages/panw_cortex_xdr/data_stream/alerts/agent/stream/httpjson.yml.hbs b/packages/panw_cortex_xdr/data_stream/alerts/agent/stream/httpjson.yml.hbs index 1027cd4b687..6a895318948 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/agent/stream/httpjson.yml.hbs +++ b/packages/panw_cortex_xdr/data_stream/alerts/agent/stream/httpjson.yml.hbs @@ -51,13 +51,13 @@ request.transforms: target: body.request_data.filters value: |- { - "field": "creation_time", + "field": "server_creation_time", "operator": "gte", "value": [[ .cursor.next_ts ]] } default: |- { - "field": "creation_time", + "field": "server_creation_time", "operator": "gte", "value": [[ mul (add (now (parseDuration "-{{initial_interval}}")).Unix) 1000 ]] } @@ -81,7 +81,7 @@ response.pagination: fail_on_template_error: true cursor: next_ts: - value: "[[.last_event.detection_timestamp]]" + value: "[[.last_event.local_insert_ts]]" tags: {{#if preserve_original_event}} diff --git a/packages/panw_cortex_xdr/manifest.yml b/packages/panw_cortex_xdr/manifest.yml index 3efaca4e669..42d13813109 100644 --- a/packages/panw_cortex_xdr/manifest.yml +++ b/packages/panw_cortex_xdr/manifest.yml @@ -1,6 +1,6 @@ name: panw_cortex_xdr title: Palo Alto Cortex XDR -version: "1.28.0" +version: "1.29.0" description: Collect logs from Palo Alto Cortex XDR with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/prometheus/changelog.yml b/packages/prometheus/changelog.yml index 99d2bb36271..ea6d0bc00bd 100644 --- a/packages/prometheus/changelog.yml +++ b/packages/prometheus/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.1" + changes: + - description: Add a dimension field with a fingerprint value applied over Prometheus label values to avoid document drop. + type: bugfix + link: https://github.com/elastic/integrations/pull/10766 - version: "1.18.0" changes: - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.14.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/prometheus/data_stream/collector/elasticsearch/ingest_pipeline/default.yml b/packages/prometheus/data_stream/collector/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..f66d3178675 --- /dev/null +++ b/packages/prometheus/data_stream/collector/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,14 @@ +--- +description: Pipeline for processing Prometheus collector metrics. +processors: + - fingerprint: + fields: ["prometheus.labels"] + target_field: "prometheus.labels_fingerprint" + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/prometheus/data_stream/collector/fields/fields.yml b/packages/prometheus/data_stream/collector/fields/fields.yml index 4311cfb1f91..b44f4a6f28c 100644 --- a/packages/prometheus/data_stream/collector/fields/fields.yml +++ b/packages/prometheus/data_stream/collector/fields/fields.yml @@ -5,7 +5,10 @@ type: keyword dimension: true description: | - Prometheus metric labels + Prometheus metric labels. + - name: labels_fingerprint + type: keyword + description: Autogenerated ID representing the fingerprint of labels object and includes query name. - name: prometheus.metrics.* type: object object_type: double diff --git a/packages/prometheus/data_stream/collector/sample_event.json b/packages/prometheus/data_stream/collector/sample_event.json index c0517b600ea..7153f3e1c3e 100644 --- a/packages/prometheus/data_stream/collector/sample_event.json +++ b/packages/prometheus/data_stream/collector/sample_event.json @@ -1,43 +1,82 @@ { - "@timestamp": "2022-09-21T13:53:53.737Z", + "@timestamp": "2024-08-20T08:38:11.185Z", + "agent": { + "ephemeral_id": "b9fad797-a22c-47be-b2f4-44c0a89b6c25", + "id": "9822f27e-ae7c-4cee-98af-094356f8bf91", + "name": "elastic-agent-35087", + "type": "metricbeat", + "version": "8.14.0" + }, "data_stream": { "dataset": "prometheus.collector", - "namespace": "default", + "namespace": "52976", "type": "metrics" }, "ecs": { - "version": "8.11.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "68e3d23a-08cd-4477-924b-25f491194aba", - "snapshot": true, - "version": "8.4.0" + "id": "9822f27e-ae7c-4cee-98af-094356f8bf91", + "snapshot": false, + "version": "8.14.0" }, "event": { "agent_id_status": "verified", "dataset": "prometheus.collector", - "duration": 10509824, - "ingested": "2022-09-21T13:53:54Z", + "duration": 1958134070, + "ingested": "2024-08-20T08:38:13Z", "module": "prometheus" }, - "host": {}, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "elastic-agent-35087", + "id": "345c85cf1fe945e2b19719b370c09a48", + "ip": [ + "192.168.241.8", + "192.168.242.2" + ], + "mac": [ + "02-42-C0-A8-F1-08", + "02-42-C0-A8-F2-02" + ], + "name": "elastic-agent-35087", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-189-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, "metricset": { "name": "collector", "period": 10000 }, "prometheus": { "labels": { - "instance": "prometheus-server-server:80", - "job": "prometheus", - "quantile": "0.5", - "scrape_job": "kubernetes-services" + "dialer_name": "alertmanager", + "instance": "svc-prometheus:9090", + "job": "prometheus" + }, + "labels_fingerprint": "jn10I8M3W8CSQq1v0nbhVyegvgQ=", + "net_conntrack_dialer_conn_attempted_total": { + "counter": 0, + "rate": 0 + }, + "net_conntrack_dialer_conn_closed_total": { + "counter": 0, + "rate": 0 }, - "prometheus_target_sync_length_seconds": { - "value": 0.000103602 + "net_conntrack_dialer_conn_established_total": { + "counter": 0, + "rate": 0 } }, "service": { - "address": "http://prometheus-server-server:80/metrics", + "address": "http://svc-prometheus:9090/metrics", "type": "prometheus" } } \ No newline at end of file diff --git a/packages/prometheus/data_stream/query/elasticsearch/ingest_pipeline/default.yml b/packages/prometheus/data_stream/query/elasticsearch/ingest_pipeline/default.yml index 8da5588e974..4be76fe0ec4 100644 --- a/packages/prometheus/data_stream/query/elasticsearch/ingest_pipeline/default.yml +++ b/packages/prometheus/data_stream/query/elasticsearch/ingest_pipeline/default.yml @@ -8,6 +8,10 @@ processors: field: "prometheus.labels.query_name" value: "{{_ingest._key}}" description: Add query_name as a label to cover cases, when query returns a single value with no labels + - fingerprint: + fields: ["prometheus.labels"] + target_field: "prometheus.labels_fingerprint" + ignore_missing: true on_failure: - set: field: event.kind diff --git a/packages/prometheus/data_stream/query/fields/fields.yml b/packages/prometheus/data_stream/query/fields/fields.yml index 4c55309af12..24c80d6f77e 100644 --- a/packages/prometheus/data_stream/query/fields/fields.yml +++ b/packages/prometheus/data_stream/query/fields/fields.yml @@ -5,7 +5,10 @@ type: keyword dimension: true description: | - Prometheus metric labels + Prometheus metric labels. + - name: labels_fingerprint + type: keyword + description: Autogenerated ID representing the fingerprint of labels object and includes query name. - name: prometheus.query.* type: object object_type: double diff --git a/packages/prometheus/data_stream/query/sample_event.json b/packages/prometheus/data_stream/query/sample_event.json index 0c95e1dd107..a9886d7888d 100644 --- a/packages/prometheus/data_stream/query/sample_event.json +++ b/packages/prometheus/data_stream/query/sample_event.json @@ -1,45 +1,71 @@ { - "@timestamp": "2022-09-21T14:06:49.000Z", + "@timestamp": "2024-08-20T08:39:07.000Z", "agent": { - "ephemeral_id": "63ab98c3-c4ae-4a30-84f9-9a2d7f459728", - "id": "68e3d23a-08cd-4477-924b-25f491194aba", - "name": "kind-control-plane", + "ephemeral_id": "cc18c40d-dcb8-4192-aede-e988d68c376c", + "id": "842b000b-c1bd-4608-bbd8-2a1849afc2f5", + "name": "elastic-agent-31805", "type": "metricbeat", - "version": "8.4.0" + "version": "8.14.0" }, "data_stream": { "dataset": "prometheus.query", - "namespace": "default", + "namespace": "54564", "type": "metrics" }, "ecs": { - "version": "8.11.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "68e3d23a-08cd-4477-924b-25f491194aba", - "snapshot": true, - "version": "8.4.0" + "id": "842b000b-c1bd-4608-bbd8-2a1849afc2f5", + "snapshot": false, + "version": "8.14.0" }, "event": { "agent_id_status": "verified", "dataset": "prometheus.query", - "duration": 1153570, - "ingested": "2022-09-21T14:06:50Z", + "duration": 6078736, + "ingested": "2024-08-20T08:39:10Z", "module": "prometheus" }, - "host": {}, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "elastic-agent-31805", + "id": "345c85cf1fe945e2b19719b370c09a48", + "ip": [ + "192.168.241.8", + "192.168.242.2" + ], + "mac": [ + "02-42-C0-A8-F1-08", + "02-42-C0-A8-F2-02" + ], + "name": "elastic-agent-31805", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-189-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, "metricset": { "name": "query", "period": 10000 }, "prometheus": { - "labels": {}, + "labels": { + "query_name": "scalar" + }, + "labels_fingerprint": "uE8iX47vrW1H38mLYMD73p8/CcA=", "query": { - "instant_vector": 0.7838951248394681 + "scalar": 100 } }, "service": { - "address": "http://prometheus-server-server:80", + "address": "http://svc-prometheus:9090", "type": "prometheus" } } \ No newline at end of file diff --git a/packages/prometheus/data_stream/remote_write/elasticsearch/ingest_pipeline/default.yml b/packages/prometheus/data_stream/remote_write/elasticsearch/ingest_pipeline/default.yml index 5fc1f8b4738..1cf77307100 100644 --- a/packages/prometheus/data_stream/remote_write/elasticsearch/ingest_pipeline/default.yml +++ b/packages/prometheus/data_stream/remote_write/elasticsearch/ingest_pipeline/default.yml @@ -23,8 +23,8 @@ processors: value: ["{{_ingest._key}}"] description: Add all keys of the 'prometheus' object to the earlier created field, it includes all metric names and key "labels" - fingerprint: - fields: ["prometheus.labels.metrics_names"] - target_field: "prometheus.metrics_names_fingerprint" + fields: ["prometheus.labels"] + target_field: "prometheus.labels_fingerprint" ignore_missing: true - remove: field: "prometheus.labels.metrics_names" diff --git a/packages/prometheus/data_stream/remote_write/fields/fields.yml b/packages/prometheus/data_stream/remote_write/fields/fields.yml index 04bac4803d4..bb4fb9eb19e 100644 --- a/packages/prometheus/data_stream/remote_write/fields/fields.yml +++ b/packages/prometheus/data_stream/remote_write/fields/fields.yml @@ -5,7 +5,10 @@ type: keyword dimension: true description: | - Prometheus metric labels + Prometheus metric labels. + - name: labels_fingerprint + type: keyword + description: Autogenerated ID representing the fingerprint of labels object and includes query name. - name: metrics_names_fingerprint type: keyword dimension: true diff --git a/packages/prometheus/docs/README.md b/packages/prometheus/docs/README.md index 111d50799ca..2c9affe1ed8 100644 --- a/packages/prometheus/docs/README.md +++ b/packages/prometheus/docs/README.md @@ -131,45 +131,84 @@ An example event for `collector` looks as following: ```json { - "@timestamp": "2022-09-21T13:53:53.737Z", + "@timestamp": "2024-08-20T08:38:11.185Z", + "agent": { + "ephemeral_id": "b9fad797-a22c-47be-b2f4-44c0a89b6c25", + "id": "9822f27e-ae7c-4cee-98af-094356f8bf91", + "name": "elastic-agent-35087", + "type": "metricbeat", + "version": "8.14.0" + }, "data_stream": { "dataset": "prometheus.collector", - "namespace": "default", + "namespace": "52976", "type": "metrics" }, "ecs": { - "version": "8.11.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "68e3d23a-08cd-4477-924b-25f491194aba", - "snapshot": true, - "version": "8.4.0" + "id": "9822f27e-ae7c-4cee-98af-094356f8bf91", + "snapshot": false, + "version": "8.14.0" }, "event": { "agent_id_status": "verified", "dataset": "prometheus.collector", - "duration": 10509824, - "ingested": "2022-09-21T13:53:54Z", + "duration": 1958134070, + "ingested": "2024-08-20T08:38:13Z", "module": "prometheus" }, - "host": {}, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "elastic-agent-35087", + "id": "345c85cf1fe945e2b19719b370c09a48", + "ip": [ + "192.168.241.8", + "192.168.242.2" + ], + "mac": [ + "02-42-C0-A8-F1-08", + "02-42-C0-A8-F2-02" + ], + "name": "elastic-agent-35087", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-189-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, "metricset": { "name": "collector", "period": 10000 }, "prometheus": { "labels": { - "instance": "prometheus-server-server:80", - "job": "prometheus", - "quantile": "0.5", - "scrape_job": "kubernetes-services" + "dialer_name": "alertmanager", + "instance": "svc-prometheus:9090", + "job": "prometheus" + }, + "labels_fingerprint": "jn10I8M3W8CSQq1v0nbhVyegvgQ=", + "net_conntrack_dialer_conn_attempted_total": { + "counter": 0, + "rate": 0 + }, + "net_conntrack_dialer_conn_closed_total": { + "counter": 0, + "rate": 0 }, - "prometheus_target_sync_length_seconds": { - "value": 0.000103602 + "net_conntrack_dialer_conn_established_total": { + "counter": 0, + "rate": 0 } }, "service": { - "address": "http://prometheus-server-server:80/metrics", + "address": "http://svc-prometheus:9090/metrics", "type": "prometheus" } } @@ -206,7 +245,8 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | prometheus.\*.histogram | Prometheus histogram metric | object | | | prometheus.\*.rate | Prometheus rated counter metric | object | gauge | | prometheus.\*.value | Prometheus gauge metric | object | gauge | -| prometheus.labels.\* | Prometheus metric labels | keyword | | +| prometheus.labels.\* | Prometheus metric labels. | keyword | | +| prometheus.labels_fingerprint | Autogenerated ID representing the fingerprint of labels object and includes query name. | keyword | | | prometheus.metrics.\* | Prometheus metric | object | gauge | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | @@ -401,7 +441,8 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | prometheus.\*.histogram | Prometheus histogram metric | object | | | prometheus.\*.rate | Prometheus rated counter metric | object | gauge | | prometheus.\*.value | Prometheus gauge metric | object | gauge | -| prometheus.labels.\* | Prometheus metric labels | keyword | | +| prometheus.labels.\* | Prometheus metric labels. | keyword | | +| prometheus.labels_fingerprint | Autogenerated ID representing the fingerprint of labels object and includes query name. | keyword | | | prometheus.metrics.\* | Prometheus metric | object | gauge | | prometheus.metrics_names_fingerprint | Autogenerated ID representing the fingerprint of the list of metrics names | keyword | | @@ -532,47 +573,73 @@ An example event for `query` looks as following: ```json { - "@timestamp": "2022-09-21T14:06:49.000Z", + "@timestamp": "2024-08-20T08:39:07.000Z", "agent": { - "ephemeral_id": "63ab98c3-c4ae-4a30-84f9-9a2d7f459728", - "id": "68e3d23a-08cd-4477-924b-25f491194aba", - "name": "kind-control-plane", + "ephemeral_id": "cc18c40d-dcb8-4192-aede-e988d68c376c", + "id": "842b000b-c1bd-4608-bbd8-2a1849afc2f5", + "name": "elastic-agent-31805", "type": "metricbeat", - "version": "8.4.0" + "version": "8.14.0" }, "data_stream": { "dataset": "prometheus.query", - "namespace": "default", + "namespace": "54564", "type": "metrics" }, "ecs": { - "version": "8.11.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "68e3d23a-08cd-4477-924b-25f491194aba", - "snapshot": true, - "version": "8.4.0" + "id": "842b000b-c1bd-4608-bbd8-2a1849afc2f5", + "snapshot": false, + "version": "8.14.0" }, "event": { "agent_id_status": "verified", "dataset": "prometheus.query", - "duration": 1153570, - "ingested": "2022-09-21T14:06:50Z", + "duration": 6078736, + "ingested": "2024-08-20T08:39:10Z", "module": "prometheus" }, - "host": {}, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "elastic-agent-31805", + "id": "345c85cf1fe945e2b19719b370c09a48", + "ip": [ + "192.168.241.8", + "192.168.242.2" + ], + "mac": [ + "02-42-C0-A8-F1-08", + "02-42-C0-A8-F2-02" + ], + "name": "elastic-agent-31805", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-189-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, "metricset": { "name": "query", "period": 10000 }, "prometheus": { - "labels": {}, + "labels": { + "query_name": "scalar" + }, + "labels_fingerprint": "uE8iX47vrW1H38mLYMD73p8/CcA=", "query": { - "instant_vector": 0.7838951248394681 + "scalar": 100 } }, "service": { - "address": "http://prometheus-server-server:80", + "address": "http://svc-prometheus:9090", "type": "prometheus" } } @@ -605,7 +672,8 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | -| prometheus.labels.\* | Prometheus metric labels | keyword | | +| prometheus.labels.\* | Prometheus metric labels. | keyword | | +| prometheus.labels_fingerprint | Autogenerated ID representing the fingerprint of labels object and includes query name. | keyword | | | prometheus.query.\* | Prometheus value resulted from PromQL | object | gauge | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | diff --git a/packages/prometheus/manifest.yml b/packages/prometheus/manifest.yml index 81c9042108d..073a5e6888a 100644 --- a/packages/prometheus/manifest.yml +++ b/packages/prometheus/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.10.0 name: prometheus title: Prometheus -version: 1.18.0 +version: 1.18.1 description: Collect metrics from Prometheus servers with Elastic Agent. type: integration categories: diff --git a/packages/proofpoint_tap/changelog.yml b/packages/proofpoint_tap/changelog.yml index edcb4a22309..418611a6986 100644 --- a/packages/proofpoint_tap/changelog.yml +++ b/packages/proofpoint_tap/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Set default search period to one day. + type: enhancement + link: https://github.com/elastic/integrations/pull/10796 - version: "1.22.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json index 1121fef50bf..6278be503ce 100644 --- a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json @@ -1,7 +1,6 @@ { "attributes": { "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -52,8 +53,7 @@ }, "panelIndex": "aa104adb-fbc4-4019-9fda-9f1ca4886d64", "panelRefName": "panel_aa104adb-fbc4-4019-9fda-9f1ca4886d64", - "type": "search", - "version": "7.17.0" + "type": "search" }, { "embeddableConfig": { @@ -73,7 +73,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ff0e011-970a-4b60-9158-962f4e89fbbe": { "columnOrder": [ @@ -87,7 +87,7 @@ "label": "Total Clicks", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -103,12 +103,15 @@ "visualization": { "accessor": "dc762ac8-6645-45a7-ba44-b3fbd0309338", "layerId": "4ff0e011-970a-4b60-9158-962f4e89fbbe", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Count of Clicks [Logs Proofpoint TAP]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -122,8 +125,7 @@ }, "panelIndex": "39f0263c-ab86-416a-8048-83d13edbdbab", "title": "Count of Clicks [Logs Proofpoint TAP]", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -143,7 +145,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "09466534-a461-4fbb-850b-fba8df6b7c37": { "columnOrder": [ @@ -174,7 +176,7 @@ "label": "Part of count()", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "caef084e-7dca-43d6-8538-a2806796463e": { "customLabel": true, @@ -210,15 +212,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "caef084e-7dca-43d6-8538-a2806796463e" - ], "layerId": "09466534-a461-4fbb-850b-fba8df6b7c37", "layerType": "data", "legendDisplay": "default", - "metric": "8c76f7ef-0d3f-4558-8835-17fa53443a49", + "legendSize": "auto", + "metrics": [ + "8c76f7ef-0d3f-4558-8835-17fa53443a49" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "caef084e-7dca-43d6-8538-a2806796463e" + ] } ], "shape": "pie" @@ -240,8 +245,7 @@ }, "panelIndex": "d6f150e5-a82f-453c-867a-3c0f40ba826b", "title": "Distribution of Blocked Clicks by Classification [Logs Proofpoint TAP]", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -261,7 +265,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "062ab937-584b-4266-b89a-e0965350fd15": { "columnOrder": [ @@ -295,7 +299,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -320,7 +324,9 @@ } ], "layerId": "062ab937-584b-4266-b89a-e0965350fd15", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Malicious URL [Logs Proofpoint TAP]", @@ -337,8 +343,7 @@ "y": 15 }, "panelIndex": "b921de2f-edd5-4539-bb51-c94c5ddf4541", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -358,7 +363,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { "columnOrder": [ @@ -392,7 +397,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -417,7 +422,9 @@ } ], "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Recipient [Logs Proofpoint TAP]", @@ -434,8 +441,7 @@ "y": 15 }, "panelIndex": "4240bdb9-8306-43fe-8b7a-815e70e28fec", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -455,7 +461,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f7d425df-4f7d-4e18-993d-b8a10cdffe22": { "columnOrder": [ @@ -489,7 +495,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -506,15 +512,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "967f19a8-3944-4a64-a05f-037bcf1f238c" - ], "layerId": "f7d425df-4f7d-4e18-993d-b8a10cdffe22", "layerType": "data", "legendDisplay": "default", - "metric": "ea922d0b-14cf-4625-b038-71d6a627f340", + "legendSize": "auto", + "metrics": [ + "ea922d0b-14cf-4625-b038-71d6a627f340" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "967f19a8-3944-4a64-a05f-037bcf1f238c" + ] } ], "shape": "pie" @@ -534,8 +543,7 @@ "y": 30 }, "panelIndex": "37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -555,7 +563,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4080ef48-91f4-4339-a059-fa6a9d0fcce8": { "columnOrder": [ @@ -589,7 +597,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -614,7 +622,9 @@ } ], "layerId": "4080ef48-91f4-4339-a059-fa6a9d0fcce8", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Click IP [Logs Proofpoint TAP]", @@ -631,17 +641,114 @@ "y": 30 }, "panelIndex": "3afffe1a-ab24-4a60-bb83-1973840a6b89", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"1d744b4f-b6df-4195-bfea-8e64340b7da1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"48984da5-6c09-4c75-86d5-b9c1791d120d\",\"includeInFitToBounds\":true,\"label\":\"Clicks\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"destination.geo.location\",\"id\":\"35e48033-3f9a-4228-98be-980fff6c70a1\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"zoom\":1.14,\"center\":{\"lon\":18.18583,\"lat\":51.78838},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "1d744b4f-b6df-4195-bfea-8e64340b7da1", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "lightModeDefault": "road_map", + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "EMS_VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "48984da5-6c09-4c75-86d5-b9c1791d120d", + "includeInFitToBounds": true, + "label": "Clicks", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "destination.geo.location", + "id": "35e48033-3f9a-4228-98be-980fff6c70a1", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "label": "Count", + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 51.78838, + "lon": 18.18583 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-1y/d", + "to": "now" + }, + "zoom": 1.14 + }, "title": "Clicks on URL by Region [Logs Proofpoint TAP]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } }, "enhancements": {}, "hiddenLayers": [], @@ -667,25 +774,23 @@ "y": 45 }, "panelIndex": "2e6e0f5d-6968-46c7-9ccf-d0324b2e467f", - "type": "map", - "version": "7.17.0" + "type": "map" } ], "refreshInterval": { "pause": true, "value": 0 }, - "timeFrom": "now-1y/d", + "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "[Logs Proofpoint TAP] Blocked Clicks", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-14T21:57:43.474Z", "id": "proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -761,7 +866,13 @@ "id": "logs-*", "name": "2e6e0f5d-6968-46c7-9ccf-d0324b2e467f:layer_1_source_index_pattern", "type": "index-pattern" + }, + { + "id": "proofpoint_tap-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json index 81785a12998..e44cf48235f 100644 --- a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json @@ -1,7 +1,6 @@ { "attributes": { "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -52,8 +53,7 @@ }, "panelIndex": "7fe02808-920c-4356-a052-d449b2e57ed5", "panelRefName": "panel_7fe02808-920c-4356-a052-d449b2e57ed5", - "type": "search", - "version": "7.17.0" + "type": "search" }, { "embeddableConfig": { @@ -73,7 +73,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ff0e011-970a-4b60-9158-962f4e89fbbe": { "columnOrder": [ @@ -87,7 +87,7 @@ "label": "Total Clicks", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -103,12 +103,15 @@ "visualization": { "accessor": "dc762ac8-6645-45a7-ba44-b3fbd0309338", "layerId": "4ff0e011-970a-4b60-9158-962f4e89fbbe", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Count of Clicks [Logs Proofpoint TAP]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -120,8 +123,7 @@ "y": 0 }, "panelIndex": "2d93f439-bff8-4e48-b469-fca11e18ba81", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -141,7 +143,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4": { "columnOrder": [ @@ -156,7 +158,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "f13e79eb-00ed-4e68-98b5-b5c927055fec": { "customLabel": true, @@ -192,15 +194,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "f13e79eb-00ed-4e68-98b5-b5c927055fec" - ], "layerId": "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", "layerType": "data", "legendDisplay": "default", - "metric": "0466e119-38e8-4d0a-a48f-9b2e7a89d213", + "legendSize": "auto", + "metrics": [ + "0466e119-38e8-4d0a-a48f-9b2e7a89d213" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "f13e79eb-00ed-4e68-98b5-b5c927055fec" + ] } ], "shape": "pie" @@ -220,8 +225,7 @@ "y": 0 }, "panelIndex": "05a16b7a-9e32-4398-b547-b44ba5dd1572", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -241,7 +245,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c4191f86-9c54-4a06-a3dd-842b3ef7c241": { "columnOrder": [ @@ -256,7 +260,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "a3e04efb-2f37-464b-a6f2-23c0e19d790d": { "customLabel": true, @@ -292,15 +296,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "a3e04efb-2f37-464b-a6f2-23c0e19d790d" - ], "layerId": "c4191f86-9c54-4a06-a3dd-842b3ef7c241", "layerType": "data", "legendDisplay": "default", - "metric": "40a5f8c4-9eb3-4dcf-8520-acdb820944df", + "legendSize": "auto", + "metrics": [ + "40a5f8c4-9eb3-4dcf-8520-acdb820944df" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "a3e04efb-2f37-464b-a6f2-23c0e19d790d" + ] } ], "shape": "pie" @@ -320,8 +327,7 @@ "y": 15 }, "panelIndex": "771e46d7-ce5c-4c0d-81b2-841e283abf2c", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -341,7 +347,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "062ab937-584b-4266-b89a-e0965350fd15": { "columnOrder": [ @@ -375,7 +381,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -400,7 +406,9 @@ } ], "layerId": "062ab937-584b-4266-b89a-e0965350fd15", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Malicious URL [Logs Proofpoint TAP]", @@ -417,8 +425,7 @@ "y": 30 }, "panelIndex": "08dc3a8e-380f-4998-b83f-2791b6b8a4a5", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -438,7 +445,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { "columnOrder": [ @@ -472,7 +479,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -497,7 +504,9 @@ } ], "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Recipient [Logs Proofpoint TAP]", @@ -514,8 +523,7 @@ "y": 15 }, "panelIndex": "85ab74a3-eb94-47f2-9592-6654f540d9d5", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -535,7 +543,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4080ef48-91f4-4339-a059-fa6a9d0fcce8": { "columnOrder": [ @@ -569,7 +577,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -594,7 +602,9 @@ } ], "layerId": "4080ef48-91f4-4339-a059-fa6a9d0fcce8", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Click IP [Logs Proofpoint TAP]", @@ -611,17 +621,114 @@ "y": 30 }, "panelIndex": "bae14c77-2488-49e8-87e1-f60be58b1ad9", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"1d744b4f-b6df-4195-bfea-8e64340b7da1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"48984da5-6c09-4c75-86d5-b9c1791d120d\",\"includeInFitToBounds\":true,\"label\":\"Clicks\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"destination.geo.location\",\"id\":\"35e48033-3f9a-4228-98be-980fff6c70a1\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"zoom\":1.14,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "1d744b4f-b6df-4195-bfea-8e64340b7da1", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "lightModeDefault": "road_map", + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "EMS_VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "48984da5-6c09-4c75-86d5-b9c1791d120d", + "includeInFitToBounds": true, + "label": "Clicks", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "destination.geo.location", + "id": "35e48033-3f9a-4228-98be-980fff6c70a1", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "label": "Count", + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-1y/d", + "to": "now" + }, + "zoom": 1.14 + }, "title": "Clicks on URL by Region [Logs Proofpoint TAP]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } }, "enhancements": {}, "hiddenLayers": [], @@ -647,25 +754,23 @@ "y": 45 }, "panelIndex": "b4c89de9-9f07-4261-8fd5-554b89dbb714", - "type": "map", - "version": "7.17.0" + "type": "map" } ], "refreshInterval": { "pause": true, "value": 0 }, - "timeFrom": "now-1y/d", + "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "[Logs Proofpoint TAP] Permitted Clicks", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-14T21:57:34.320Z", "id": "proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -741,7 +846,13 @@ "id": "logs-*", "name": "b4c89de9-9f07-4261-8fd5-554b89dbb714:layer_1_source_index_pattern", "type": "index-pattern" + }, + { + "id": "proofpoint_tap-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json index debbfd7a038..32760e91d65 100644 --- a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json @@ -1,7 +1,6 @@ { "attributes": { "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -52,8 +53,7 @@ }, "panelIndex": "e5247373-1ae6-403b-89b5-93281d642883", "panelRefName": "panel_e5247373-1ae6-403b-89b5-93281d642883", - "type": "search", - "version": "7.17.0" + "type": "search" }, { "embeddableConfig": { @@ -73,7 +73,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "66e9770d-b676-49a0-b502-b3cf64aae59d": { "columnOrder": [ @@ -87,7 +87,7 @@ "label": "Total Messages", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -103,12 +103,15 @@ "visualization": { "accessor": "7afa9eab-9e68-42c1-a5f8-7891197560e2", "layerId": "66e9770d-b676-49a0-b502-b3cf64aae59d", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Count of Messages [Logs Proofpoint TAP]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -120,8 +123,7 @@ "y": 0 }, "panelIndex": "2cfc095d-92da-4512-bf45-21f3a7508129", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -141,7 +143,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e7630b81-f809-4d49-b269-1788bdbdf649": { "columnOrder": [ @@ -175,7 +177,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -200,7 +202,9 @@ } ], "layerId": "e7630b81-f809-4d49-b269-1788bdbdf649", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Sender IP [Logs Proofpoint TAP]", @@ -217,8 +221,7 @@ "y": 0 }, "panelIndex": "efdb9e8c-8541-401c-acc6-767c1a637db4", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -238,7 +241,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "402e61cc-9dba-466f-9269-27b48dd2e4a1": { "columnOrder": [ @@ -253,7 +256,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d1076744-9ca0-4908-a16f-ef349e2cd32a": { "customLabel": true, @@ -289,15 +292,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d1076744-9ca0-4908-a16f-ef349e2cd32a" - ], "layerId": "402e61cc-9dba-466f-9269-27b48dd2e4a1", "layerType": "data", "legendDisplay": "default", - "metric": "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241", + "legendSize": "auto", + "metrics": [ + "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d1076744-9ca0-4908-a16f-ef349e2cd32a" + ] } ], "shape": "pie" @@ -317,8 +323,7 @@ "y": 15 }, "panelIndex": "637266a0-908f-40ee-aa10-55569e7cbd29", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -338,7 +343,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a0987be1-b682-412e-8d46-a4ad00e985c1": { "columnOrder": [ @@ -372,7 +377,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -389,15 +394,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "74697bb2-b72f-4b6e-b651-06f50ef31467" - ], "layerId": "a0987be1-b682-412e-8d46-a4ad00e985c1", "layerType": "data", "legendDisplay": "default", - "metric": "87ce1993-56c0-4458-9cb1-ae12af5a629a", + "legendSize": "auto", + "metrics": [ + "87ce1993-56c0-4458-9cb1-ae12af5a629a" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "74697bb2-b72f-4b6e-b651-06f50ef31467" + ] } ], "shape": "pie" @@ -417,8 +425,7 @@ "y": 15 }, "panelIndex": "3e565fd9-f29d-41b5-a084-7393d29028d9", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -438,7 +445,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { "columnOrder": [ @@ -472,7 +479,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -497,7 +504,9 @@ } ], "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Recipient [Logs Proofpoint TAP]", @@ -514,8 +523,7 @@ "y": 30 }, "panelIndex": "2371e369-c82c-4443-bbf5-9d2b119fb9e9", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -535,7 +543,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e327fec5-d799-4b3f-acfc-32c1ecaac682": { "columnOrder": [ @@ -550,7 +558,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "f096fb9b-5208-4f47-b5a5-0ad3de754fda": { "customLabel": true, @@ -586,15 +594,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "f096fb9b-5208-4f47-b5a5-0ad3de754fda" - ], "layerId": "e327fec5-d799-4b3f-acfc-32c1ecaac682", "layerType": "data", "legendDisplay": "default", - "metric": "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8", + "legendSize": "auto", + "metrics": [ + "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "f096fb9b-5208-4f47-b5a5-0ad3de754fda" + ] } ], "shape": "pie" @@ -614,8 +625,7 @@ "y": 30 }, "panelIndex": "a3d367ee-91bb-421d-b6fc-27daabd46a54", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -635,7 +645,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f2e404cb-ffef-4218-a7d7-20a1972f7fe5": { "columnOrder": [ @@ -669,7 +679,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -686,15 +696,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "86527e47-1073-45bd-8f35-657f4d277b62" - ], "layerId": "f2e404cb-ffef-4218-a7d7-20a1972f7fe5", "layerType": "data", "legendDisplay": "default", - "metric": "f40e0576-52c6-4c09-8b8e-446699fed30e", + "legendSize": "auto", + "metrics": [ + "f40e0576-52c6-4c09-8b8e-446699fed30e" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "86527e47-1073-45bd-8f35-657f4d277b62" + ] } ], "shape": "pie" @@ -714,8 +727,7 @@ "y": 45 }, "panelIndex": "3a258b28-29d4-4719-a65e-db1153b954fc", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -735,7 +747,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "01c9ddee-f668-4ee5-8bb6-98e74d2e1439": { "columnOrder": [ @@ -750,7 +762,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d": { "customLabel": true, @@ -786,15 +798,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d" - ], "layerId": "01c9ddee-f668-4ee5-8bb6-98e74d2e1439", "layerType": "data", "legendDisplay": "default", - "metric": "47666138-8fdd-4735-9a26-d5586276afe9", + "legendSize": "auto", + "metrics": [ + "47666138-8fdd-4735-9a26-d5586276afe9" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d" + ] } ], "shape": "pie" @@ -814,8 +829,7 @@ "y": 45 }, "panelIndex": "850608eb-ca33-452f-a129-c4719224c52f", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -835,7 +849,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691": { "columnOrder": [ @@ -869,7 +883,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -886,15 +900,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "73dab922-14a4-4c5c-a297-9873a91dad59" - ], "layerId": "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", "layerType": "data", "legendDisplay": "default", - "metric": "b12333e5-b88d-4a3e-96bb-467efc2745b5", + "legendSize": "auto", + "metrics": [ + "b12333e5-b88d-4a3e-96bb-467efc2745b5" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "73dab922-14a4-4c5c-a297-9873a91dad59" + ] } ], "shape": "pie" @@ -914,8 +931,7 @@ "y": 60 }, "panelIndex": "c9517aa1-8122-434d-b93d-719030617688", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -935,7 +951,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "657c0ea2-d756-4c8e-8638-4a2cf8a00bad": { "columnOrder": [ @@ -969,7 +985,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1012,6 +1028,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar", @@ -1043,8 +1060,7 @@ "y": 60 }, "panelIndex": "6b458dd4-988b-44d1-bd30-1bfadd99712b", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -1064,7 +1080,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8bc257b1-f278-4281-b618-12892df43c90": { "columnOrder": [ @@ -1079,7 +1095,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "bd52eba0-e079-4b31-b053-d6d8e519b21d": { "customLabel": true, @@ -1127,6 +1143,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar", @@ -1154,8 +1171,7 @@ "y": 75 }, "panelIndex": "91bf4cc9-d875-476b-afa9-353e6a6115d2", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -1175,7 +1191,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4b31f83f-2fc1-4509-8a5b-0c80eea8c627": { "columnOrder": [ @@ -1209,7 +1225,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1254,6 +1270,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar", @@ -1285,31 +1302,150 @@ "y": 75 }, "panelIndex": "f8ff2974-b1e9-4a81-a5af-8f5d6d13abce", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"c6a42104-e390-4c56-8ef8-5bd774773e72\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"f8e2c82c-56b8-425d-a79d-ab24baf35f89\",\"includeInFitToBounds\":true,\"label\":\"Sender\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"zoom\":0.63,\"center\":{\"lon\":96.98463,\"lat\":0},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filters\":[{\"meta\":{\"index\":\"logs-*\",\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"data_stream.dataset\",\"params\":{\"query\":\"proofpoint_tap.message_blocked\"}},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"proofpoint_tap.message_blocked\"}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "c6a42104-e390-4c56-8ef8-5bd774773e72", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "lightModeDefault": "road_map", + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "EMS_VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "f8e2c82c-56b8-425d-a79d-ab24baf35f89", + "includeInFitToBounds": true, + "label": "Sender", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "source.geo.location", + "id": "ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "label": "Count", + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 0, + "lon": 96.98463 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "proofpoint_tap.message_blocked" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "proofpoint_tap.message_blocked" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-1y/d", + "to": "now" + }, + "zoom": 0.63 + }, "title": "Sender of Messages by Region [Logs Proofpoint TAP]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } }, "enhancements": {}, "hiddenLayers": [], "isLayerTOCOpen": true, "mapBuffer": { - "maxLat": 89.78601, + "maxLat": 85.05113, "maxLon": 720, - "minLat": -89.78601, + "minLat": -85.05113, "minLon": -540 }, "mapCenter": { "lat": 0, "lon": 96.98463, - "zoom": 0.12 + "zoom": 0.18 }, "openTOCDetails": [] }, @@ -1321,25 +1457,23 @@ "y": 90 }, "panelIndex": "d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e", - "type": "map", - "version": "7.17.0" + "type": "map" } ], "refreshInterval": { "pause": true, "value": 0 }, - "timeFrom": "now-1y/d", + "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "[Logs Proofpoint TAP] Blocked Messages", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-14T21:57:23.767Z", "id": "proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -1475,7 +1609,13 @@ "id": "logs-*", "name": "d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e:layer_1_source_index_pattern", "type": "index-pattern" + }, + { + "id": "proofpoint_tap-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json index e27c14e0e6a..d9b3685d2f7 100644 --- a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json @@ -1,7 +1,6 @@ { "attributes": { "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -52,8 +53,7 @@ }, "panelIndex": "a0cc1e4c-3327-478b-94ec-519ebf9582ab", "panelRefName": "panel_a0cc1e4c-3327-478b-94ec-519ebf9582ab", - "type": "search", - "version": "7.17.0" + "type": "search" }, { "embeddableConfig": { @@ -73,7 +73,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "66e9770d-b676-49a0-b502-b3cf64aae59d": { "columnOrder": [ @@ -87,7 +87,7 @@ "label": "Total Messages", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -103,12 +103,15 @@ "visualization": { "accessor": "7afa9eab-9e68-42c1-a5f8-7891197560e2", "layerId": "66e9770d-b676-49a0-b502-b3cf64aae59d", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Count of Messages [Logs Proofpoint TAP]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -120,8 +123,7 @@ "y": 0 }, "panelIndex": "057e2ef6-0316-4896-ab34-8aafca79b009", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -141,7 +143,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e7630b81-f809-4d49-b269-1788bdbdf649": { "columnOrder": [ @@ -175,7 +177,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -200,7 +202,9 @@ } ], "layerId": "e7630b81-f809-4d49-b269-1788bdbdf649", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Sender IP [Logs Proofpoint TAP]", @@ -217,8 +221,7 @@ "y": 0 }, "panelIndex": "e54a8fb5-eee6-409a-8065-91a4e7b3ac4f", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -238,7 +241,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "410012cf-d8df-4277-ac28-305ea82a09a3": { "columnOrder": [ @@ -272,7 +275,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -289,15 +292,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "05e673b3-ec58-44eb-ad0b-c88a43e44a8a" - ], "layerId": "410012cf-d8df-4277-ac28-305ea82a09a3", "layerType": "data", "legendDisplay": "default", - "metric": "68cf8e68-186a-40c7-a199-0463ca8741d8", + "legendSize": "auto", + "metrics": [ + "68cf8e68-186a-40c7-a199-0463ca8741d8" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "05e673b3-ec58-44eb-ad0b-c88a43e44a8a" + ] } ], "shape": "pie" @@ -317,8 +323,7 @@ "y": 15 }, "panelIndex": "f5b71bf4-d93b-4383-aee3-0fba04633f7e", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -338,7 +343,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006": { "columnOrder": [ @@ -372,7 +377,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -389,15 +394,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "02195bc5-0e17-4c5d-bf4c-5bcf165cd993" - ], "layerId": "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", "layerType": "data", "legendDisplay": "default", - "metric": "22bcb44a-ba59-4c78-a069-277e45c5d6ef", + "legendSize": "auto", + "metrics": [ + "22bcb44a-ba59-4c78-a069-277e45c5d6ef" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "02195bc5-0e17-4c5d-bf4c-5bcf165cd993" + ] } ], "shape": "pie" @@ -417,8 +425,7 @@ "y": 15 }, "panelIndex": "ddaa2940-7c3a-4d0c-8fad-a87d3d92725a", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -438,7 +445,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { "columnOrder": [ @@ -472,7 +479,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -497,7 +504,9 @@ } ], "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 Recipient [Logs Proofpoint TAP]", @@ -514,8 +523,7 @@ "y": 30 }, "panelIndex": "3dc5d286-d7b8-4a47-bd70-7699375f31de", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -535,7 +543,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "5b8645f9-f56a-44ea-b567-dad4d9da2824": { "columnOrder": [ @@ -550,7 +558,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "bc4689d4-0411-44f9-add5-ffa0705584dc": { "customLabel": true, @@ -586,15 +594,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "bc4689d4-0411-44f9-add5-ffa0705584dc" - ], "layerId": "5b8645f9-f56a-44ea-b567-dad4d9da2824", "layerType": "data", "legendDisplay": "default", - "metric": "612fda22-416a-4171-8854-f9cb30a4ae05", + "legendSize": "auto", + "metrics": [ + "612fda22-416a-4171-8854-f9cb30a4ae05" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "bc4689d4-0411-44f9-add5-ffa0705584dc" + ] } ], "shape": "pie" @@ -614,8 +625,7 @@ "y": 30 }, "panelIndex": "080a6554-cbad-4aa0-b8a6-d82de9dab805", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -635,7 +645,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "17b04f1e-6124-4c6c-9464-e29a98d97bcf": { "columnOrder": [ @@ -669,7 +679,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -686,15 +696,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "20a072f6-3895-45a1-a585-875852453a05" - ], "layerId": "17b04f1e-6124-4c6c-9464-e29a98d97bcf", "layerType": "data", "legendDisplay": "default", - "metric": "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0", + "legendSize": "auto", + "metrics": [ + "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "20a072f6-3895-45a1-a585-875852453a05" + ] } ], "shape": "pie" @@ -714,8 +727,7 @@ "y": 45 }, "panelIndex": "ec9ba9eb-371c-430a-afc5-f6edf039bd91", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -735,7 +747,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "590e841c-2ef7-4ace-b981-4bb9d3160054": { "columnOrder": [ @@ -750,7 +762,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "7066eb8e-8f19-4826-adbb-7550c8ea2636": { "customLabel": true, @@ -786,15 +798,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "7066eb8e-8f19-4826-adbb-7550c8ea2636" - ], "layerId": "590e841c-2ef7-4ace-b981-4bb9d3160054", "layerType": "data", "legendDisplay": "default", - "metric": "1bc5c276-8229-422d-bb16-a63859e6f34c", + "legendSize": "auto", + "metrics": [ + "1bc5c276-8229-422d-bb16-a63859e6f34c" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "7066eb8e-8f19-4826-adbb-7550c8ea2636" + ] } ], "shape": "pie" @@ -814,8 +829,7 @@ "y": 45 }, "panelIndex": "c1acfbb3-c3ca-436d-b54e-47f288677136", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -835,7 +849,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ecc13edd-9962-402c-b12e-180cccc46f08": { "columnOrder": [ @@ -850,7 +864,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "21d701b1-4d50-4480-94e0-bfd2616489f5": { "customLabel": true, @@ -886,15 +900,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "21d701b1-4d50-4480-94e0-bfd2616489f5" - ], "layerId": "ecc13edd-9962-402c-b12e-180cccc46f08", "layerType": "data", "legendDisplay": "default", - "metric": "0bc203c5-ff36-4db6-ad1a-441828203815", + "legendSize": "auto", + "metrics": [ + "0bc203c5-ff36-4db6-ad1a-441828203815" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "21d701b1-4d50-4480-94e0-bfd2616489f5" + ] } ], "shape": "pie" @@ -914,8 +931,7 @@ "y": 60 }, "panelIndex": "f1256b4b-8872-4d25-82cd-5a7004108d91", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { @@ -935,7 +951,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "657c0ea2-d756-4c8e-8638-4a2cf8a00bad": { "columnOrder": [ @@ -969,7 +985,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1012,6 +1028,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar", @@ -1043,17 +1060,114 @@ "y": 60 }, "panelIndex": "f721f663-e2fd-44c9-88bc-639bff7bc700", - "type": "lens", - "version": "7.17.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"c6a42104-e390-4c56-8ef8-5bd774773e72\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"f8e2c82c-56b8-425d-a79d-ab24baf35f89\",\"includeInFitToBounds\":true,\"label\":\"Sender\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"zoom\":1.91,\"center\":{\"lon\":73.8871,\"lat\":33.09876},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "c6a42104-e390-4c56-8ef8-5bd774773e72", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "lightModeDefault": "road_map", + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "EMS_VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "f8e2c82c-56b8-425d-a79d-ab24baf35f89", + "includeInFitToBounds": true, + "label": "Sender", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "source.geo.location", + "id": "ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "label": "Count", + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 33.09876, + "lon": 73.8871 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-1y/d", + "to": "now" + }, + "zoom": 1.91 + }, "title": "Sender of Messages by Region [Logs Proofpoint TAP]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } }, "enhancements": {}, "hiddenLayers": [], @@ -1079,25 +1193,23 @@ "y": 75 }, "panelIndex": "de4c11a4-6831-4ad4-92b6-7dc434430690", - "type": "map", - "version": "7.17.0" + "type": "map" } ], "refreshInterval": { "pause": true, "value": 0 }, - "timeFrom": "now-1y/d", + "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "[Logs Proofpoint TAP] Delivered Messages", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-14T21:57:14.002Z", "id": "proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -1213,7 +1325,13 @@ "id": "logs-*", "name": "de4c11a4-6831-4ad4-92b6-7dc434430690:layer_1_source_index_pattern", "type": "index-pattern" + }, + { + "id": "proofpoint_tap-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json b/packages/proofpoint_tap/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json index a4ea02f2eec..48f10165fec 100644 --- a/packages/proofpoint_tap/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json +++ b/packages/proofpoint_tap/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json @@ -28,17 +28,22 @@ ], "title": "Messages Essential Details [Logs Proofpoint TAP]" }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-14T21:55:46.902Z", "id": "proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d", - "migrationVersion": { - "search": "7.9.3" - }, + "managed": true, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "proofpoint_tap-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json b/packages/proofpoint_tap/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json index 1ef1d4cfb67..0525af3f149 100644 --- a/packages/proofpoint_tap/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json +++ b/packages/proofpoint_tap/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json @@ -27,17 +27,22 @@ ], "title": "Clicks Essential Details [Logs Proofpoint TAP]" }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-14T21:55:46.902Z", "id": "proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4", - "migrationVersion": { - "search": "7.9.3" - }, + "managed": true, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "proofpoint_tap-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/tag/proofpoint_tap-security-solution-default.json b/packages/proofpoint_tap/kibana/tag/proofpoint_tap-security-solution-default.json new file mode 100644 index 00000000000..b28ab0b6384 --- /dev/null +++ b/packages/proofpoint_tap/kibana/tag/proofpoint_tap-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#BADA55", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-14T21:55:47.028Z", + "id": "proofpoint_tap-security-solution-default", + "managed": false, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/manifest.yml b/packages/proofpoint_tap/manifest.yml index 47aa28ca034..c6aa3e00d72 100644 --- a/packages/proofpoint_tap/manifest.yml +++ b/packages/proofpoint_tap/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: proofpoint_tap title: Proofpoint TAP -version: "1.22.0" +version: "1.23.0" description: Collect logs from Proofpoint TAP with Elastic Agent. type: integration categories: diff --git a/packages/squid/_dev/deploy/docker/docker-compose.yml b/packages/squid/_dev/deploy/docker/docker-compose.yml index 7f5d4be570f..1f686f607a8 100644 --- a/packages/squid/_dev/deploy/docker/docker-compose.yml +++ b/packages/squid/_dev/deploy/docker/docker-compose.yml @@ -1,6 +1,6 @@ version: '2.3' services: - squid-log-logfile: + squid-log-filestream: image: alpine volumes: - ./sample_logs:/sample_logs:ro @@ -16,3 +16,8 @@ services: volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9537 -p=tcp /sample_logs/squid-log-*.log + squid-log-tls: + image: docker.elastic.co/observability/stream:v0.15.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9538 -p=tls --insecure /sample_logs/squid-log-*.log diff --git a/packages/squid/_dev/deploy/docker/sample_logs/squid-log-access1.log b/packages/squid/_dev/deploy/docker/sample_logs/squid-log-access.log similarity index 100% rename from packages/squid/_dev/deploy/docker/sample_logs/squid-log-access1.log rename to packages/squid/_dev/deploy/docker/sample_logs/squid-log-access.log diff --git a/packages/squid/_dev/deploy/docker/sample_logs/squid-log-generated.log b/packages/squid/_dev/deploy/docker/sample_logs/squid-log-generated.log deleted file mode 100644 index 14078eea632..00000000000 --- a/packages/squid/_dev/deploy/docker/sample_logs/squid-log-generated.log +++ /dev/null @@ -1,100 +0,0 @@ -10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] "PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite" 10.234.224.44 etdo tation "quasiarc" liqua ciade 5699 "https://example.net/umq/ntium.gif?nes=eab#aliqu" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny -10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] "PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU" 10.70.36.222 estlabo doeiu "nia" olupt volup 208 "https://example.com/eosquir/orsi.txt?itessequ=vol#luptat" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny -10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] "OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident" 10.142.172.64 lupt tia "oloremqu" temvel iatu 5493 "https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] "GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia" quiavo 1156 "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" allow 10.81.122.126 taev 160.145000 -10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] "PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad" 10.171.175.51 boreet onev "tenima" laboreet aquaeabi 5738 "https://api.example.net/veleumi/tia.gif?ude=maveniam#uian" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] "HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo" 10.12.195.60 uiano mrema "autfu" natura aboris 2946 "https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept -10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] "DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt" 10.207.249.121 iciade tsed "orai" mUt usmodte 1296 "https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" allow -10.34.9.93 124 [08/May/2016:7:27:59 onse] "PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio" 10.116.120.216 qua umdo "sed" apariat mol 1510 "https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" accept -10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] "HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd" 10.30.216.41 enim saute "vel" quu undeo 5794 "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept -10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] "CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup" 10.203.172.203 idestla Nemoeni "uradi" aborumSe luptat 6884 "https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] "UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa" 10.158.185.163 rudexerc aliq "rsitam" quam adm 987 "https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi" "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g" allow -10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] "OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae" 10.201.76.240 amqu uines "nsec" onse emips 2655 "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" accept -10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] "COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat" 10.206.136.206 suntinc xeac "nidolo" tatn eli 6462 "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] "COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum" 10.134.161.118 tat ipitla "quae" maccusa uptat 3458 "https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" block -10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] "NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat" 10.76.3.41 isc aturve "emulla" mpori aaliquaU 2989 "https://www5.example.com/ern/psaquae.html?nsectet=utla#utei" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] "PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali" 10.249.213.83 nsecte itame "eumfug" lit asun 1250 "https://api.example.com/oluptate/onseq.html?labore=texp#tMalor" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept -10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] "HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre" 10.236.248.65 pisciv iquidex "radipisc" tmo fficiade 3280 "https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] "PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali" 10.214.7.83 liquide etdol "uela" boN eprehend 2462 "https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] "GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn" 10.49.92.179 osamn isnisiu "bore" tsu tcons 3128 "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] "PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit" 10.90.86.89 piscin lapar "laboree" tfu udan 5516 "https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] "PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio" 10.14.48.16 sintoc volupt "siste" uiinea Utenima 1612 "https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] "CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure" 10.93.123.174 evelit reetdolo "smo" etcons iusmodi 1563 "https://example.com/uiac/epte.gif?itam=aper#santiumd" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] "MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon" 10.233.48.103 leumiur tlab "aperiame" isc ullamcor 584 "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.93.220.10 2805 [23/Dec/2016:12:09:07 com] "PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu" 10.27.58.92 amvo qui "tasn" Nemoenim squirati 63 "https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] "PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni" 10.135.217.12 metMalo ntexplic "archite" loreme untu 5676 "https://example.net/con/nisist.gif?ium=esciuntN#idunt" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] "PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt" 10.233.239.112 npr mquelau "iadolor" amcol adeser 3780 "https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" cancel -10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] "CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi" 10.21.169.127 rpori ice "oles" edic seq 2835 "https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] "LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge" 10.69.139.26 ditemp edqui "nre" veli volupta 7124 "https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] "COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi" 10.104.80.189 dolore onsecte "nBCSedut" ugiat onulam 1542 "https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] "UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol" 10.116.230.217 mvele isis "uasiar" utlab emUteni 7122 "https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block -10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] "ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu" 10.119.90.128 lor oraincid "intocc" amcorp ntsunt 4826 "https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel -10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] "HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo" 10.76.110.144 tdol upt "mex" tatem untutlab 3386 "https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" deny -10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] "MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo" 10.135.46.242 lupta xeaco "nvolupt" oremi elites 1940 "https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] "TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri" 10.154.53.249 tae autodit "elit" cidunt plica 7398 "https://internal.example.org/emqu/nderi.html?accusant=onse#admin" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" accept -10.93.39.140 4275 [29/May/2017:5:37:24 ute] "COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc" 10.150.245.88 orisn reetd "prehen" ntutlabo iusmodte 1738 "https://example.org/isc/Nequepor.txt?rem=idid#tesse" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" cancel -10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] "UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu" 10.73.207.70 llamco atu "untincul" ssecil commodi 3023 "https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] "GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac" temUt 2741 "https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow 10.50.124.116 numquam 104.719000 -10.173.222.131 918 [11/Jul/2017:2:45:07 ori] "TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil" 10.211.234.224 uiadol Duisa "lupta" aUt boNem 5564 "https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] "PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed" 10.0.157.225 itam atu "lloin" remipsum tempor 1282 "https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] "PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia" 10.92.237.93 mad onse "redol" gnaa mod 5107 "https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] "POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN" 10.20.28.92 econs ntexpl "dunt" litsedq nderiti 409 "https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" allow -10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] "NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic" 10.17.87.79 tetur tionula "ritqu" ecatcupi uamei 4595 "https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] "DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc" 10.189.94.51 tetura rsp "oluptat" metco acom 5704 "https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" allow -10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] "GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco" 10.101.85.169 natu liquid "enim" Finibus radi 5697 "https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" accept -10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] "HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi" 10.231.7.209 lorsita eavol "osamnis" temaccu scipitl 1247 "https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block -10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] "CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv" 10.77.129.175 tali BCS "qui" ugiatquo incidid 2617 "https://www.example.com/sBonor/fugits.jpg?amc=vol#admi" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.51.236.148 329 [16/Nov/2017:6:08:15 adol] "PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup" 10.116.146.114 col obea "emp" agnaaliq est 1444 "https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny -10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] "NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse" 10.217.222.99 ame amvolu "mip" tion tobeatae 2512 "https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" block -10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] "PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis" 10.150.198.112 ntmoll mexer "estla" uipexe abor 1370 "https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.45.114.111 357 [29/Dec/2017:3:15:58 olup] "POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab" 10.45.54.107 seddoeiu nse "aali" edictasu mdolors 7490 "https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" accept -10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] "TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia" 10.205.28.24 oeni untutlab "tvolup" consecte pteurs 742 "https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" allow -10.17.202.219 487 [27/Jan/2018:5:21:06 iame] "HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni" 10.183.223.149 cor odoco "oin" itseddoe elites 6366 "https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny -10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] "MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan" 10.88.172.222 doconse etdol "dolorsi" nturmag tura 6695 "https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau" "mobmail android 2.1.3.3150" cancel -10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] "OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero" 10.247.53.179 issu identsu "piscivel" hend eacommo 6835 "https://example.com/osquira/umd.gif?scipi=tur#acon" "mobmail android 2.1.3.3150" accept -10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] "UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido" 10.172.148.223 snulap enimadm "stenatu" upta atc 3066 "https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon" "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80" accept -10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] "GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico" 10.232.19.43 porinc riame "riat" sseq eriam 729 "https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.207.97.192 973 [08/Apr/2018:4:33:58 emp] "ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx" 10.55.55.72 nculp asp "eacom" mag gelitse 2007 "https://example.net/lab/llumq.htm?tetura=rumet#uptasnul" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.41.156.88 203 [22/Apr/2018:11:36:32 oco] "MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat" 10.89.73.240 orem ntorever "pisciv" fugiatqu seos 5561 "https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" deny -10.54.44.231 5292 [07/May/2018:6:39:06 aco] "CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios" 10.101.183.86 mvenia mcorpo "ntexpl" abor oreverit 6451 "https://internal.example.net/tat/eufugia.htm?tau=fficia#est" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" allow -10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] "LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc" 10.130.150.189 oreeu nvo "iamqui" tassita colabori 1223 "https://www.example.net/lpa/isn.htm?iat=ffic#siuta" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] "GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup" 10.83.130.95 ipitlabo userror "eacommo" nderi liqua 7030 "https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" deny -10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] "COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt" 10.166.160.217 olor radip "rchitect" Dui iameaqu 2429 "https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny -10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] "UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu" 10.183.243.246 amni tatio "amquisno" modoc magnam 3267 "https://example.com/idatat/onev.html?lesti=oreseo#reprehen" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel -10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] "OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam" 10.202.224.209 iusmodit aturv "ectetura" obeataev umf 3141 "https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" cancel -10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] "PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors" 10.170.234.233 accus uatu "mquis" lab uido 2046 "https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] "DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic" 10.142.130.227 olabori odic "iuta" liquaUte scivelit 7795 "https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" allow -10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] "DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini" 10.61.110.7 oremque quaU "ufugi" cin tmo 508 "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny -10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] "COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore" 10.68.198.188 doeiu onsectet "dentsunt" inea animid 2119 "https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" block -10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] "CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit" 10.169.63.169 ariat midestl "quatu" avolu teturad 3465 "https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block -10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] "PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima" 10.62.10.137 eeufugi deomnisi "olupta" oll laboree 3880 "https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] "COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud" 10.255.40.12 rro oeiusmo "nimv" emeu tatemac 5192 "https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" deny -10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] "GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam" tuser 2694 "https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" deny 10.88.98.31 rured 105.243000 -10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] "OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi" 10.1.27.133 edqu tationu "gnaaliq" olore ntutlab 6881 "https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] "POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco" 10.70.244.155 olorsi caboNemo "uptas" temaccus ons 2160 "https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" accept -10.204.214.98 985 [21/Dec/2018:11:20:14 equ] "PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo" 10.121.80.158 boriosa cillumdo "ditau" moenimip uames 7663 "https://internal.example.com/lor/oreeu.html?eturadip=nost#atus" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] "PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu" 10.139.151.19 eumf roquisq "uasi" maveniam uis 5533 "https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] "DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat" 10.242.48.203 ctobeat isi "idexeac" ntu tdolo 3872 "https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" deny -10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] "PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod" 10.254.10.98 adipisc aparia "maliq" ccusant epteurs 6661 "https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca" "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36" accept -10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] "LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr" 10.175.138.42 olore onemul "trudexe" remeum etur 890 "https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] "PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch" 10.18.199.203 ugits ittenb "tobeatae" ntut llum 366 "https://example.com/equat/estiaec.htm?mquido=ende#ntmollit" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] "NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt" 10.73.80.251 pteurs ercitati "atem" serro lumquid 5939 "https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" allow -10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] "PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill" 10.22.34.206 mini mve "tionev" uasiarch velites 1745 "https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" block -10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] "CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt" 10.199.103.185 uipe ipsa "con" eirured sequamn 5243 "https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" allow -10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] "COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab" 10.128.84.27 nula ptate "volupta" umfu utla 2478 "https://www5.example.com/dolo/velites.gif?equa=apari#tsunt" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block -10.49.169.175 2103 [13/May/2019:9:45:57 sistena] "HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines" 10.115.154.104 illum ore "spici" Sedut tatis 7767 "https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow -10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] "PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse" 10.33.112.100 catcup enimad "magnaali" velillum ionev 1594 "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" block -10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] "CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa" 10.25.53.93 tvolup oremeu "lab" lla urau 6127 "https://example.net/equamni/atcupi.htm?onemull=mdo#labore" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] "HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu" 10.246.115.57 edquiano mSecti "henderi" taevitae tevel 5926 "https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] "NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse" 10.82.148.126 inBCSedu ita "ade" nihilmol nder 2214 "https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" block -10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] "DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali" 10.6.11.124 edqui tvolu "psu" strud onsequ 5930 "https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" accept -10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] "CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov" 10.145.25.55 litsed lumd "tiaec" lorem iamquisn 2079 "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] "TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm" 10.6.88.105 uptatemU rem "onorumet" iscivel rinci 249 "https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" allow -10.252.146.132 503 [05/Sep/2019:6:06:31 tat] "CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi" 10.163.9.35 uatDu umq "ipsu" oremip ota 4562 "https://example.com/epteurs/itse.jpg?modi=cip#tla" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] "DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo" 10.235.160.245 squamest upta "umquiad" porinc uameiu 4857 "https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" deny -10.140.170.171 773 [03/Oct/2019:8:11:40 deom] "TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici" 10.73.218.58 quidol tinv "Utenima" nse umq 1831 "https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] "OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu" 10.67.148.40 tcons squamest "ction" emveleum siuta 2155 "https://example.com/epteur/onproi.txt?imveniam=sunte#exerc" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny -10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] "UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa" 10.37.33.179 taed eatae "siutali" oloremq sum 6106 "https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat" "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept -10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] "MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv" 10.84.107.38 tutla usmod "ine" qui itse 2097 "https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny -10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] "POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit" 10.204.223.184 oinve ptasnul "utaliqui" mcorpor rerepr 6861 "https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny -10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] "PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela" 10.229.39.190 Nequepo edictas "emac" rmagnido exeaco 2574 "https://api.example.org/loremi/nven.htm?usan=ugiatn#squa" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny diff --git a/packages/squid/changelog.yml b/packages/squid/changelog.yml index 1f3ad2c8715..88e71b589b1 100644 --- a/packages/squid/changelog.yml +++ b/packages/squid/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.20.0" + changes: + - description: Rewrite integration with standard ingest pipelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/10882 - version: "0.19.3" changes: - description: Add http.request.body.bytes to ECS mappings. diff --git a/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log b/packages/squid/data_stream/log/_dev/test/pipeline/test-access.log similarity index 100% rename from packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log rename to packages/squid/data_stream/log/_dev/test/pipeline/test-access.log diff --git a/packages/squid/data_stream/log/_dev/test/pipeline/test-access.log-expected.json b/packages/squid/data_stream/log/_dev/test/pipeline/test-access.log-expected.json new file mode 100644 index 00000000000..12732378dde --- /dev/null +++ b/packages/squid/data_stream/log/_dev/test/pipeline/test-access.log-expected.json @@ -0,0 +1,6518 @@ +{ + "expected": [ + { + "@timestamp": "2006-09-08T04:21:52.049Z", + "destination": { + "bytes": 19763 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 5006000000, + "kind": "event", + "original": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 19763 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "209.73.177.115", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "login.yahoo.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:00.327Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 10182 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2864000000, + "kind": "event", + "original": "1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 10182 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "original": "http://www.goonernews.com/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:00.343Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 214 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1357000000, + "kind": "event", + "original": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 214 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "css", + "original": "http://www.goonernews.com/styles.css", + "path": "/styles.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:01.315Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 1464 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1464 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/css", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "css", + "original": "http://www.goonernews.com/styles.css", + "path": "/styles.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:02.780Z", + "destination": { + "address": "www.google-analytics.com", + "bytes": 5626 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1464000000, + "kind": "event", + "original": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 5626 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/javascript", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.google-analytics.com", + "extension": "js", + "original": "http://www.google-analytics.com/urchin.js", + "path": "/urchin.js", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:03.718Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 30169 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3856000000, + "kind": "event", + "original": "1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 30169 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "original": "http://www.goonernews.com/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:04.156Z", + "destination": { + "address": "www.google-analytics.com", + "bytes": 399 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1372000000, + "kind": "event", + "original": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 399 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "66.102.9.147", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.google-analytics.com", + "extension": "gif", + "original": "http://www.google-analytics.com/__utm.gif?", + "path": "/__utm.gif", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:04.266Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 215 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1457000000, + "kind": "event", + "original": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 215 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "gif", + "original": "http://www.goonernews.com/graphics/newslogo.gif", + "path": "/graphics/newslogo.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:04.281Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 215 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1465000000, + "kind": "event", + "original": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 215 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "jpg", + "original": "http://www.goonernews.com/shop/arsenal_shop_ad.jpg", + "path": "/shop/arsenal_shop_ad.jpg", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:05.734Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 214 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1452000000, + "kind": "event", + "original": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 214 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "gif", + "original": "http://www.goonernews.com/flags/FUS.gif", + "path": "/flags/FUS.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:05.736Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 1353 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2000000, + "kind": "event", + "original": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1353 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "image/gif", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "gif", + "original": "http://www.goonernews.com/flags/FGB.gif", + "path": "/flags/FGB.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:05.953Z", + "destination": { + "address": "as.casalemedia.com", + "bytes": 1013 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2603000000, + "kind": "event", + "original": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1013 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "209.85.16.38", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "as.casalemedia.com", + "original": "http://as.casalemedia.com/s?", + "path": "/s", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:06.703Z", + "destination": { + "bytes": 1845 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 4459000000, + "kind": "event", + "original": "1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1845 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "68.142.213.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "us.bc.yahoo.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:07.312Z", + "destination": { + "address": "impgb.tradedoubler.com", + "bytes": 729 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1356000000, + "kind": "event", + "original": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 729 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "217.212.240.172", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 302 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "impgb.tradedoubler.com", + "original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", + "path": "/imp/img/16349696/992098", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:07.751Z", + "destination": { + "address": "4.adbrite.com", + "bytes": 1577 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3484000000, + "kind": "event", + "original": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1577 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "206.169.136.22", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "4.adbrite.com", + "extension": "php", + "original": "http://4.adbrite.com/mb/text_group.php?", + "path": "/mb/text_group.php", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:07.803Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 1353 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 9000000, + "kind": "event", + "original": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1353 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "image/gif", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "gif", + "original": "http://www.goonernews.com/flags/FFR.gif", + "path": "/flags/FFR.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:09.234Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 214 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1431000000, + "kind": "event", + "original": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 214 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "gif", + "original": "http://www.goonernews.com/flags/FAU.gif", + "path": "/flags/FAU.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:09.280Z", + "destination": { + "address": "www.goonernews.com", + "bytes": 213 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1414000000, + "kind": "event", + "original": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 213 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "207.58.145.61", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.goonernews.com", + "extension": "gif", + "original": "http://www.goonernews.com/graphics/spacer.gif", + "path": "/graphics/spacer.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:10.920Z", + "destination": { + "address": "4.adbrite.com", + "bytes": 1784 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1686000000, + "kind": "event", + "original": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1784 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "64.127.126.178", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "4.adbrite.com", + "extension": "php", + "original": "http://4.adbrite.com/mb/text_group.php?", + "path": "/mb/text_group.php", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:11.313Z", + "destination": { + "address": "ff.connextra.com", + "bytes": 851 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3997000000, + "kind": "event", + "original": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 851 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "213.160.98.161", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 302 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "ff.connextra.com", + "original": "http://ff.connextra.com/Ladbrokes/selector/image?", + "path": "/Ladbrokes/selector/image", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:15.275Z", + "destination": { + "address": "dd.connextra.com", + "bytes": 30904 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3962000000, + "kind": "event", + "original": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 30904 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "213.160.98.160", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "dd.connextra.com", + "original": "http://dd.connextra.com/servlet/controller?", + "path": "/servlet/controller", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:17.481Z", + "destination": { + "address": "hi5.com", + "bytes": 1661 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 4000000, + "kind": "event", + "original": "1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1661 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.218" + ] + }, + "source": { + "address": "10.105.47.218", + "ip": "10.105.47.218" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hi5.com", + "original": "http://hi5.com/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:22.757Z", + "destination": { + "bytes": 12569 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3657000000, + "kind": "event", + "original": "1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 12569 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "209.73.177.115", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "login.yahoo.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:23.106Z", + "destination": { + "address": "update.messenger.yahoo.com", + "bytes": 1752 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1752 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "update.messenger.yahoo.com", + "extension": "html", + "original": "http://update.messenger.yahoo.com/msgrcli7.html", + "path": "/msgrcli7.html", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:23.782Z", + "destination": { + "address": "shttp.msg.yahoo.com", + "bytes": 484 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1371000000, + "kind": "event", + "original": "1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 484 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/plain", + "peer_host": "216.155.194.239", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "shttp.msg.yahoo.com", + "original": "http://shttp.msg.yahoo.com/notify/", + "path": "/notify/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:24.736Z", + "destination": { + "address": "hi5.com", + "bytes": 29359 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 4969000000, + "kind": "event", + "original": "1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 29359 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.218" + ], + "user": [ + "nazsoau" + ] + }, + "source": { + "address": "10.105.47.218", + "ip": "10.105.47.218", + "user": { + "name": "nazsoau" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "204.13.51.238", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hi5.com", + "original": "http://hi5.com/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:24.798Z", + "destination": { + "address": "hi5.com", + "bytes": 5930 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1631000000, + "kind": "event", + "original": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 5930 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.218" + ], + "user": [ + "nazsoau" + ] + }, + "source": { + "address": "10.105.47.218", + "ip": "10.105.47.218", + "user": { + "name": "nazsoau" + } + }, + "squid": { + "content_type": "text/css", + "peer_host": "204.13.51.238", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hi5.com", + "extension": "css", + "original": "http://hi5.com/friend/styles/homepage.css", + "path": "/friend/styles/homepage.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:25.641Z", + "destination": { + "address": "shttp.msg.yahoo.com", + "bytes": 1645 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1810000000, + "kind": "event", + "original": "1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1645 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/plain", + "peer_host": "216.155.194.239", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "shttp.msg.yahoo.com", + "original": "http://shttp.msg.yahoo.com/notify/", + "path": "/notify/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:26.267Z", + "destination": { + "address": "rms.adobe.com", + "bytes": 1812 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 880000000, + "kind": "event", + "original": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1812 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.58" + ] + }, + "source": { + "address": "10.105.37.58", + "ip": "10.105.37.58" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "rms.adobe.com", + "extension": "xml", + "original": "http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", + "path": "/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:27.190Z", + "destination": { + "address": "images.hi5.com", + "bytes": 217 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 10000000, + "kind": "event", + "original": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 217 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.218" + ], + "user": [ + "nazsoau" + ] + }, + "source": { + "address": "10.105.47.218", + "ip": "10.105.47.218", + "user": { + "name": "nazsoau" + } + }, + "squid": { + "content_type": "text/css", + "peer_status": "NONE", + "result_code": "TCP_IMS_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hi5.com", + "extension": "css", + "original": "http://images.hi5.com/styles/style.css", + "path": "/styles/style.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:27.307Z", + "destination": { + "address": "images.hi5.com", + "bytes": 217 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 116000000, + "kind": "event", + "original": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 217 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.218" + ], + "user": [ + "nazsoau" + ] + }, + "source": { + "address": "10.105.47.218", + "ip": "10.105.47.218", + "user": { + "name": "nazsoau" + } + }, + "squid": { + "content_type": "text/css", + "peer_status": "NONE", + "result_code": "TCP_IMS_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hi5.com", + "extension": "css", + "original": "http://images.hi5.com/friend/styles/buttons_en_us.css", + "path": "/friend/styles/buttons_en_us.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:27.751Z", + "destination": { + "address": "hi5.com", + "bytes": 27799 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 6160000000, + "kind": "event", + "original": "1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 27799 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.218" + ], + "user": [ + "nazsoau" + ] + }, + "source": { + "address": "10.105.47.218", + "ip": "10.105.47.218", + "user": { + "name": "nazsoau" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "204.13.51.238", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hi5.com", + "original": "http://hi5.com/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:29.064Z", + "destination": { + "address": "hi5.com", + "bytes": 4470 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1758000000, + "kind": "event", + "original": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 4470 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.218" + ], + "user": [ + "nazsoau" + ] + }, + "source": { + "address": "10.105.47.218", + "ip": "10.105.47.218", + "user": { + "name": "nazsoau" + } + }, + "squid": { + "content_type": "text/css", + "peer_host": "204.13.51.238", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hi5.com", + "extension": "css", + "original": "http://hi5.com/friend/styles/headernav.css", + "path": "/friend/styles/headernav.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:30.829Z", + "destination": { + "address": "shttp.msg.yahoo.com", + "bytes": 382 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1393000000, + "kind": "event", + "original": "1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 382 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/plain", + "peer_host": "216.155.194.239", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "shttp.msg.yahoo.com", + "original": "http://shttp.msg.yahoo.com/notify/", + "path": "/notify/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:33.439Z", + "destination": { + "address": "insider.msg.yahoo.com", + "bytes": 24095 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3667000000, + "kind": "event", + "original": "1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 24095 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "68.142.194.14", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "insider.msg.yahoo.com", + "original": "http://insider.msg.yahoo.com/?", + "path": "/", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:33.939Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 22964 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 4899000000, + "kind": "event", + "original": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 22964 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "asp", + "original": "http://radio.launch.yahoo.com/radio/play/playmessenger.asp", + "path": "/radio/play/playmessenger.asp", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:34.877Z", + "destination": { + "address": "shttp.msg.yahoo.com", + "bytes": 646 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1349000000, + "kind": "event", + "original": "1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 646 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/plain", + "peer_host": "216.155.194.239", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "shttp.msg.yahoo.com", + "original": "http://shttp.msg.yahoo.com/notify/", + "path": "/notify/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:35.517Z", + "destination": { + "address": "address.yahoo.com", + "bytes": 699 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1578000000, + "kind": "event", + "original": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 699 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/xml", + "peer_host": "209.191.93.51", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "address.yahoo.com", + "original": "http://address.yahoo.com/yab/us?", + "path": "/yab/us", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:36.907Z", + "destination": { + "address": "fxfeeds.mozilla.org", + "bytes": 734 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 6741000000, + "kind": "event", + "original": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 734 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "63.245.209.21", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 302 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "fxfeeds.mozilla.org", + "extension": "xml", + "original": "http://fxfeeds.mozilla.org/rss20.xml", + "path": "/rss20.xml", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:37.267Z", + "destination": { + "address": "insider.msg.yahoo.com", + "bytes": 31400 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 6424000000, + "kind": "event", + "original": "1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 31400 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/xml", + "peer_host": "68.142.231.252", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "insider.msg.yahoo.com", + "original": "http://insider.msg.yahoo.com/ycontent/?", + "path": "/ycontent/", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:37.720Z", + "destination": { + "address": "insider.msg.yahoo.com", + "bytes": 21152 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2831000000, + "kind": "event", + "original": "1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 21152 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/xml", + "peer_host": "68.142.194.14", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "insider.msg.yahoo.com", + "original": "http://insider.msg.yahoo.com/ycontent/?", + "path": "/ycontent/", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:38.173Z", + "destination": { + "bytes": 1667 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1667 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.17" + ] + }, + "source": { + "address": "10.105.37.17", + "ip": "10.105.37.17" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "us.mcafee.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:38.174Z", + "destination": { + "address": "us.mcafee.com", + "bytes": 1767 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 0, + "kind": "event", + "original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1767 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.17" + ] + }, + "source": { + "address": "10.105.37.17", + "ip": "10.105.37.17" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.mcafee.com", + "extension": "asp", + "original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "path": "/apps/agent/submgr/appinstru.asp", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:38.174Z", + "destination": { + "address": "us.mcafee.com", + "bytes": 1761 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 0, + "kind": "event", + "original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1761 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.17" + ] + }, + "source": { + "address": "10.105.37.17", + "ip": "10.105.37.17" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.mcafee.com", + "extension": "asp", + "original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "path": "/apps/agent/submgr/appsync.asp", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:38.226Z", + "destination": { + "bytes": 1667 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 0, + "kind": "event", + "original": "1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1667 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.17" + ] + }, + "source": { + "address": "10.105.37.17", + "ip": "10.105.37.17" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "us.mcafee.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:38.486Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 512 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 711000000, + "kind": "event", + "original": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 512 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif", + "path": "/radio/clientdata/538/images/btn_stations.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:38.683Z", + "destination": { + "bytes": 1667 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 0, + "kind": "event", + "original": "1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1667 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.17" + ] + }, + "source": { + "address": "10.105.37.17", + "ip": "10.105.37.17" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "us.mcafee.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:39.199Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 512 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 713000000, + "kind": "event", + "original": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 512 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif", + "path": "/radio/clientdata/538/images/btn_stations_over.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:39.269Z", + "destination": { + "address": "shttp.msg.yahoo.com", + "bytes": 362 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1982000000, + "kind": "event", + "original": "1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 362 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/plain", + "peer_host": "216.155.194.239", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "shttp.msg.yahoo.com", + "original": "http://shttp.msg.yahoo.com/notify/", + "path": "/notify/", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:39.924Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 511 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 725000000, + "kind": "event", + "original": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 511 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif", + "path": "/radio/clientdata/538/skins/1/images/bg_left.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:40.611Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 512 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 687000000, + "kind": "event", + "original": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 512 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif", + "path": "/radio/clientdata/538/images/launchcast_radio.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:40.980Z", + "destination": { + "address": "us.mcafee.com", + "bytes": 1767 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1767 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.191" + ] + }, + "source": { + "address": "10.105.47.191", + "ip": "10.105.47.191" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.mcafee.com", + "extension": "asp", + "original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "path": "/apps/agent/submgr/appinstru.asp", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:41.188Z", + "destination": { + "address": "us.mcafee.com", + "bytes": 1761 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1761 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.191" + ] + }, + "source": { + "address": "10.105.47.191", + "ip": "10.105.47.191" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.mcafee.com", + "extension": "asp", + "original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "path": "/apps/agent/submgr/appsync.asp", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:41.393Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 512 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 783000000, + "kind": "event", + "original": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 512 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif", + "path": "/radio/clientdata/538/skins/1/images/bg_right.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:41.564Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 512 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2242000000, + "kind": "event", + "original": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 512 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif", + "path": "/radio/clientdata/538/skins/1/images/bg_center.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:42.220Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 512 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 827000000, + "kind": "event", + "original": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 512 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif", + "path": "/radio/clientdata/538/skins/1/images/bg_controls_off.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:42.315Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 512 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 751000000, + "kind": "event", + "original": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 512 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "path": "/radio/common_radio/resources/images/t.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:42.318Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 218 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3000000, + "kind": "event", + "original": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 218 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_status": "NONE", + "result_code": "TCP_IMS_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif", + "path": "/radio/clientdata/538/images/btn_off_state_station.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:42.332Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 218 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 13000000, + "kind": "event", + "original": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 218 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_status": "NONE", + "result_code": "TCP_IMS_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "gif", + "original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", + "path": "/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:42.341Z", + "destination": { + "address": "us.i1.yimg.com", + "bytes": 2263 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 8000000, + "kind": "event", + "original": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 2263 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.i1.yimg.com", + "extension": "gif", + "original": "http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif", + "path": "/us.yimg.com/i/us/toolbar50x50.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:43.423Z", + "destination": { + "address": "newsrss.bbc.co.uk", + "bytes": 17396 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 6517000000, + "kind": "event", + "original": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 17396 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "application/xml", + "peer_host": "212.58.226.33", + "peer_status": "DIRECT", + "result_code": "TCP_REFRESH_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "newsrss.bbc.co.uk", + "extension": "xml", + "original": "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml", + "path": "/rss/newsonline_world_edition/front_page/rss.xml", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:44.361Z", + "destination": { + "address": "insider.msg.yahoo.com", + "bytes": 407 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2140000000, + "kind": "event", + "original": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 407 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "68.142.231.252", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "insider.msg.yahoo.com", + "extension": "php", + "original": "http://insider.msg.yahoo.com/ycontent/beacon.php", + "path": "/ycontent/beacon.php", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:44.402Z", + "destination": { + "address": "us.ent1.yimg.com", + "bytes": 219 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 7000000, + "kind": "event", + "original": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 219 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/jpeg", + "peer_status": "NONE", + "result_code": "TCP_IMS_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.ent1.yimg.com", + "extension": "jpg", + "original": "http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg", + "path": "/images.launch.yahoo.com/000/032/457/32457654.jpg", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:44.411Z", + "destination": { + "address": "us.news1.yimg.com", + "bytes": 10593 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 8000000, + "kind": "event", + "original": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 10593 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/jpeg", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.news1.yimg.com", + "extension": "jpg", + "original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "path": "/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:45.312Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 1270 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2420000000, + "kind": "event", + "original": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1270 + }, + "method": "POST" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 302 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "asp", + "original": "http://radio.launch.yahoo.com/radio/play/authplay.asp", + "path": "/radio/play/authplay.asp", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:46.377Z", + "destination": { + "address": "us.news1.yimg.com", + "bytes": 10519 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1966000000, + "kind": "event", + "original": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 10519 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/jpeg", + "peer_host": "213.160.98.159", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.news1.yimg.com", + "extension": "jpg", + "original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "path": "/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:48.080Z", + "destination": { + "address": "radio.music.yahoo.com", + "bytes": 515 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1703000000, + "kind": "event", + "original": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 515 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/xml", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.music.yahoo.com", + "extension": "asp", + "original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "path": "/radio/player/ymsgr/initstationfeed.asp", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:48.370Z", + "destination": { + "address": "radio.music.yahoo.com", + "bytes": 14411 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3057000000, + "kind": "event", + "original": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 14411 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/xml", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.music.yahoo.com", + "extension": "asp", + "original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "path": "/radio/player/ymsgr/initstationfeed.asp", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:48.889Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 1627 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 808000000, + "kind": "event", + "original": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1627 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "asp", + "original": "http://radio.launch.yahoo.com/radio/play/authplay.asp?", + "path": "/radio/play/authplay.asp", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:49.097Z", + "destination": { + "address": "natrocket.kmip.net", + "bytes": 1728 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1226000000, + "kind": "event", + "original": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1728 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.65" + ] + }, + "source": { + "address": "10.105.37.65", + "ip": "10.105.37.65" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "natrocket.kmip.net", + "original": "http://natrocket.kmip.net:5288/iesocks?", + "path": "/iesocks", + "port": 5288, + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:49.702Z", + "destination": { + "address": "natrocket.kmip.net", + "bytes": 1725 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 0, + "kind": "event", + "original": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1725 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.65" + ] + }, + "source": { + "address": "10.105.37.65", + "ip": "10.105.37.65" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "natrocket.kmip.net", + "original": "http://natrocket.kmip.net:5288/return?", + "path": "/return", + "port": 5288, + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:50.125Z", + "destination": { + "address": "us.news1.yimg.com", + "bytes": 13124 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1202000000, + "kind": "event", + "original": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 13124 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/jpeg", + "peer_host": "213.160.98.159", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.news1.yimg.com", + "extension": "jpg", + "original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "path": "/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:50.862Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 912 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 736000000, + "kind": "event", + "original": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 912 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 302 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "asp", + "original": "http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp?", + "path": "/radio/clientdata/515/starter.asp", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:51.690Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 1450 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 828000000, + "kind": "event", + "original": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1450 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "asp", + "original": "http://radio.launch.yahoo.com/radio/player/default.asp?", + "path": "/radio/player/default.asp", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:51.987Z", + "destination": { + "address": "us.a2.yimg.com", + "bytes": 30432 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3617000000, + "kind": "event", + "original": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 30432 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "application/x-shockwave-flash", + "peer_host": "213.160.98.152", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.a2.yimg.com", + "extension": "swf", + "original": "http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf?", + "path": "/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:53.315Z", + "destination": { + "address": "radio.launch.yahoo.com", + "bytes": 14643 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1626000000, + "kind": "event", + "original": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 14643 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "68.142.219.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "radio.launch.yahoo.com", + "extension": "asp", + "original": "http://radio.launch.yahoo.com/radio/player/stickwall.asp?", + "path": "/radio/player/stickwall.asp", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:54.065Z", + "destination": { + "address": "us.bc.yahoo.com", + "bytes": 425 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2078000000, + "kind": "event", + "original": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 425 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "68.142.213.132", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.bc.yahoo.com", + "original": "http://us.bc.yahoo.com/b?", + "path": "/b", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:56.221Z", + "destination": { + "address": "insider.msg.yahoo.com", + "bytes": 407 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2130000000, + "kind": "event", + "original": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 407 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "68.142.194.14", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "insider.msg.yahoo.com", + "extension": "php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", + "original": "http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw?", + "path": "/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:57.171Z", + "destination": { + "bytes": 1476 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3412000000, + "kind": "event", + "original": "1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1476 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "216.109.124.55", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "pclick.internal.yahoo.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:57.191Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 233 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 11000000, + "kind": "event", + "original": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 233 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "application/x-javascript", + "peer_status": "NONE", + "result_code": "TCP_IMS_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "js", + "original": "http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", + "path": "/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:57.424Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 236 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1159000000, + "kind": "event", + "original": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 236 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "text/css", + "peer_host": "213.160.98.159", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "css", + "original": "http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", + "path": "/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:58.221Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 238 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 797000000, + "kind": "event", + "original": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 238 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "213.160.98.159", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "gif", + "original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", + "path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:58.473Z", + "destination": { + "bytes": 2681 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3288000000, + "kind": "event", + "original": "1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 2681 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "peer_host": "209.73.177.115", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "login.yahoo.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:22:58.909Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 136 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1405000000, + "kind": "event", + "original": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 136 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "peer_host": "213.160.98.167", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "gif", + "original": "http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", + "path": "/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:58.924Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 237 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 702000000, + "kind": "event", + "original": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 237 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "213.160.98.159", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "gif", + "original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", + "path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:58.929Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 218 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 4000000, + "kind": "event", + "original": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 218 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_status": "NONE", + "result_code": "TCP_IMS_HIT", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "gif", + "original": "http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "path": "/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:59.472Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 238 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 563000000, + "kind": "event", + "original": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 238 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "213.160.98.167", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "gif", + "original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", + "path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:22:59.488Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 238 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 560000000, + "kind": "event", + "original": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 238 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "213.160.98.159", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "gif", + "original": "http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", + "path": "/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:00.159Z", + "destination": { + "address": "a1568.g.akamai.net", + "bytes": 238 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 685000000, + "kind": "event", + "original": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 238 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "213.160.98.167", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 304 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "a1568.g.akamai.net", + "extension": "gif", + "original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", + "path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:01.267Z", + "destination": { + "address": "www.google.com", + "bytes": 1728 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1728 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.180" + ] + }, + "source": { + "address": "10.105.37.180", + "ip": "10.105.37.180" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.google.com", + "original": "http://www.google.com/supported_domains", + "path": "/supported_domains", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:01.659Z", + "destination": { + "address": "us.mcafee.com", + "bytes": 1782 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 0, + "kind": "event", + "original": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1782 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.47.191" + ] + }, + "source": { + "address": "10.105.47.191", + "ip": "10.105.47.191" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.mcafee.com", + "extension": "asp", + "original": "http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp?", + "path": "/apps/agent/en-us/agent5/chknews.asp", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:01.660Z", + "destination": { + "address": "launch.adserver.yahoo.com", + "bytes": 449 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2171000000, + "kind": "event", + "original": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 449 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.33.214" + ], + "user": [ + "adeolaegbedokun" + ] + }, + "source": { + "address": "10.105.33.214", + "ip": "10.105.33.214", + "user": { + "name": "adeolaegbedokun" + } + }, + "squid": { + "content_type": "image/gif", + "peer_host": "216.109.125.112", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "launch.adserver.yahoo.com", + "original": "http://launch.adserver.yahoo.com/l?", + "path": "/l", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:02.173Z", + "destination": { + "address": "uk.f250.mail.yahoo.com", + "bytes": 11746 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 3700000000, + "kind": "event", + "original": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 11746 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/html", + "peer_host": "217.12.10.96", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "uk.f250.mail.yahoo.com", + "original": "http://uk.f250.mail.yahoo.com/dc/launch?", + "path": "/dc/launch", + "query": "", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:02.622Z", + "destination": { + "bytes": 1670 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1670 + }, + "method": "CONNECT" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.37.180" + ] + }, + "source": { + "address": "10.105.37.180", + "ip": "10.105.37.180" + }, + "squid": { + "content_type": "text/html", + "peer_status": "NONE", + "result_code": "TCP_DENIED", + "status_code": 407 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "login.live.com:443" + } + }, + { + "@timestamp": "2006-09-08T04:23:04.316Z", + "destination": { + "address": "us.js2.yimg.com", + "bytes": 633 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 2828000000, + "kind": "event", + "original": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 633 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "application/x-javascript", + "peer_host": "213.160.98.169", + "peer_status": "DIRECT", + "result_code": "TCP_SWAPFAIL_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.js2.yimg.com", + "extension": "js", + "original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", + "path": "/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:05.714Z", + "destination": { + "address": "us.js1.yimg.com", + "bytes": 1742 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1397000000, + "kind": "event", + "original": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 1742 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "text/css", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.js1.yimg.com", + "extension": "css", + "original": "http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css", + "path": "/us.yimg.com/lib/hdr/ygma5.css", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:07.690Z", + "destination": { + "address": "us.js2.yimg.com", + "bytes": 14561 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1977000000, + "kind": "event", + "original": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 14561 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "application/x-javascript", + "peer_host": "213.160.98.169", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.js2.yimg.com", + "extension": "js", + "original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "path": "/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:07.771Z", + "destination": { + "address": "us.js1.yimg.com", + "bytes": 68733 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 80000000, + "kind": "event", + "original": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 68733 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "application/x-javascript", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.js1.yimg.com", + "extension": "js", + "original": "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", + "path": "/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:07.830Z", + "destination": { + "address": "us.js2.yimg.com", + "bytes": 898 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 1000000, + "kind": "event", + "original": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 898 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "application/x-javascript", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.js2.yimg.com", + "extension": "js", + "original": "http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", + "path": "/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", + "scheme": "http" + } + }, + { + "@timestamp": "2006-09-08T04:23:07.832Z", + "destination": { + "address": "us.i1.yimg.com", + "bytes": 26803 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "duration": 60000000, + "kind": "event", + "original": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 26803 + }, + "method": "GET" + } + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "10.105.21.199" + ], + "user": [ + "badeyek" + ] + }, + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" + } + }, + "squid": { + "content_type": "image/gif", + "peer_status": "NONE", + "result_code": "TCP_HIT", + "status_code": 200 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us.i1.yimg.com", + "extension": "gif", + "original": "http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", + "path": "/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", + "scheme": "http" + } + } + ] +} \ No newline at end of file diff --git a/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log-expected.json b/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log-expected.json deleted file mode 100644 index e624feca740..00000000000 --- a/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log-expected.json +++ /dev/null @@ -1,904 +0,0 @@ -{ - "expected": [ - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", - "tags": [ - "preserve_original_event" - ] - } - ] -} \ No newline at end of file diff --git a/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log b/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log deleted file mode 100644 index 14078eea632..00000000000 --- a/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log +++ /dev/null @@ -1,100 +0,0 @@ -10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] "PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite" 10.234.224.44 etdo tation "quasiarc" liqua ciade 5699 "https://example.net/umq/ntium.gif?nes=eab#aliqu" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny -10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] "PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU" 10.70.36.222 estlabo doeiu "nia" olupt volup 208 "https://example.com/eosquir/orsi.txt?itessequ=vol#luptat" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny -10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] "OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident" 10.142.172.64 lupt tia "oloremqu" temvel iatu 5493 "https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] "GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia" quiavo 1156 "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" allow 10.81.122.126 taev 160.145000 -10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] "PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad" 10.171.175.51 boreet onev "tenima" laboreet aquaeabi 5738 "https://api.example.net/veleumi/tia.gif?ude=maveniam#uian" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] "HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo" 10.12.195.60 uiano mrema "autfu" natura aboris 2946 "https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept -10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] "DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt" 10.207.249.121 iciade tsed "orai" mUt usmodte 1296 "https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" allow -10.34.9.93 124 [08/May/2016:7:27:59 onse] "PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio" 10.116.120.216 qua umdo "sed" apariat mol 1510 "https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" accept -10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] "HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd" 10.30.216.41 enim saute "vel" quu undeo 5794 "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept -10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] "CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup" 10.203.172.203 idestla Nemoeni "uradi" aborumSe luptat 6884 "https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] "UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa" 10.158.185.163 rudexerc aliq "rsitam" quam adm 987 "https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi" "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g" allow -10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] "OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae" 10.201.76.240 amqu uines "nsec" onse emips 2655 "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" accept -10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] "COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat" 10.206.136.206 suntinc xeac "nidolo" tatn eli 6462 "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] "COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum" 10.134.161.118 tat ipitla "quae" maccusa uptat 3458 "https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" block -10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] "NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat" 10.76.3.41 isc aturve "emulla" mpori aaliquaU 2989 "https://www5.example.com/ern/psaquae.html?nsectet=utla#utei" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] "PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali" 10.249.213.83 nsecte itame "eumfug" lit asun 1250 "https://api.example.com/oluptate/onseq.html?labore=texp#tMalor" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept -10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] "HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre" 10.236.248.65 pisciv iquidex "radipisc" tmo fficiade 3280 "https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] "PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali" 10.214.7.83 liquide etdol "uela" boN eprehend 2462 "https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] "GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn" 10.49.92.179 osamn isnisiu "bore" tsu tcons 3128 "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] "PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit" 10.90.86.89 piscin lapar "laboree" tfu udan 5516 "https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] "PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio" 10.14.48.16 sintoc volupt "siste" uiinea Utenima 1612 "https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] "CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure" 10.93.123.174 evelit reetdolo "smo" etcons iusmodi 1563 "https://example.com/uiac/epte.gif?itam=aper#santiumd" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] "MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon" 10.233.48.103 leumiur tlab "aperiame" isc ullamcor 584 "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.93.220.10 2805 [23/Dec/2016:12:09:07 com] "PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu" 10.27.58.92 amvo qui "tasn" Nemoenim squirati 63 "https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] "PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni" 10.135.217.12 metMalo ntexplic "archite" loreme untu 5676 "https://example.net/con/nisist.gif?ium=esciuntN#idunt" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] "PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt" 10.233.239.112 npr mquelau "iadolor" amcol adeser 3780 "https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" cancel -10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] "CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi" 10.21.169.127 rpori ice "oles" edic seq 2835 "https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] "LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge" 10.69.139.26 ditemp edqui "nre" veli volupta 7124 "https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] "COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi" 10.104.80.189 dolore onsecte "nBCSedut" ugiat onulam 1542 "https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] "UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol" 10.116.230.217 mvele isis "uasiar" utlab emUteni 7122 "https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block -10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] "ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu" 10.119.90.128 lor oraincid "intocc" amcorp ntsunt 4826 "https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel -10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] "HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo" 10.76.110.144 tdol upt "mex" tatem untutlab 3386 "https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" deny -10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] "MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo" 10.135.46.242 lupta xeaco "nvolupt" oremi elites 1940 "https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] "TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri" 10.154.53.249 tae autodit "elit" cidunt plica 7398 "https://internal.example.org/emqu/nderi.html?accusant=onse#admin" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" accept -10.93.39.140 4275 [29/May/2017:5:37:24 ute] "COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc" 10.150.245.88 orisn reetd "prehen" ntutlabo iusmodte 1738 "https://example.org/isc/Nequepor.txt?rem=idid#tesse" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" cancel -10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] "UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu" 10.73.207.70 llamco atu "untincul" ssecil commodi 3023 "https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] "GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac" temUt 2741 "https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow 10.50.124.116 numquam 104.719000 -10.173.222.131 918 [11/Jul/2017:2:45:07 ori] "TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil" 10.211.234.224 uiadol Duisa "lupta" aUt boNem 5564 "https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] "PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed" 10.0.157.225 itam atu "lloin" remipsum tempor 1282 "https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] "PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia" 10.92.237.93 mad onse "redol" gnaa mod 5107 "https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] "POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN" 10.20.28.92 econs ntexpl "dunt" litsedq nderiti 409 "https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" allow -10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] "NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic" 10.17.87.79 tetur tionula "ritqu" ecatcupi uamei 4595 "https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] "DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc" 10.189.94.51 tetura rsp "oluptat" metco acom 5704 "https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" allow -10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] "GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco" 10.101.85.169 natu liquid "enim" Finibus radi 5697 "https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" accept -10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] "HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi" 10.231.7.209 lorsita eavol "osamnis" temaccu scipitl 1247 "https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block -10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] "CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv" 10.77.129.175 tali BCS "qui" ugiatquo incidid 2617 "https://www.example.com/sBonor/fugits.jpg?amc=vol#admi" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.51.236.148 329 [16/Nov/2017:6:08:15 adol] "PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup" 10.116.146.114 col obea "emp" agnaaliq est 1444 "https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny -10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] "NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse" 10.217.222.99 ame amvolu "mip" tion tobeatae 2512 "https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" block -10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] "PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis" 10.150.198.112 ntmoll mexer "estla" uipexe abor 1370 "https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.45.114.111 357 [29/Dec/2017:3:15:58 olup] "POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab" 10.45.54.107 seddoeiu nse "aali" edictasu mdolors 7490 "https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" accept -10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] "TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia" 10.205.28.24 oeni untutlab "tvolup" consecte pteurs 742 "https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" allow -10.17.202.219 487 [27/Jan/2018:5:21:06 iame] "HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni" 10.183.223.149 cor odoco "oin" itseddoe elites 6366 "https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny -10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] "MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan" 10.88.172.222 doconse etdol "dolorsi" nturmag tura 6695 "https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau" "mobmail android 2.1.3.3150" cancel -10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] "OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero" 10.247.53.179 issu identsu "piscivel" hend eacommo 6835 "https://example.com/osquira/umd.gif?scipi=tur#acon" "mobmail android 2.1.3.3150" accept -10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] "UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido" 10.172.148.223 snulap enimadm "stenatu" upta atc 3066 "https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon" "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80" accept -10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] "GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico" 10.232.19.43 porinc riame "riat" sseq eriam 729 "https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.207.97.192 973 [08/Apr/2018:4:33:58 emp] "ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx" 10.55.55.72 nculp asp "eacom" mag gelitse 2007 "https://example.net/lab/llumq.htm?tetura=rumet#uptasnul" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.41.156.88 203 [22/Apr/2018:11:36:32 oco] "MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat" 10.89.73.240 orem ntorever "pisciv" fugiatqu seos 5561 "https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" deny -10.54.44.231 5292 [07/May/2018:6:39:06 aco] "CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios" 10.101.183.86 mvenia mcorpo "ntexpl" abor oreverit 6451 "https://internal.example.net/tat/eufugia.htm?tau=fficia#est" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" allow -10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] "LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc" 10.130.150.189 oreeu nvo "iamqui" tassita colabori 1223 "https://www.example.net/lpa/isn.htm?iat=ffic#siuta" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] "GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup" 10.83.130.95 ipitlabo userror "eacommo" nderi liqua 7030 "https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" deny -10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] "COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt" 10.166.160.217 olor radip "rchitect" Dui iameaqu 2429 "https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny -10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] "UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu" 10.183.243.246 amni tatio "amquisno" modoc magnam 3267 "https://example.com/idatat/onev.html?lesti=oreseo#reprehen" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel -10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] "OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam" 10.202.224.209 iusmodit aturv "ectetura" obeataev umf 3141 "https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" cancel -10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] "PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors" 10.170.234.233 accus uatu "mquis" lab uido 2046 "https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] "DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic" 10.142.130.227 olabori odic "iuta" liquaUte scivelit 7795 "https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" allow -10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] "DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini" 10.61.110.7 oremque quaU "ufugi" cin tmo 508 "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny -10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] "COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore" 10.68.198.188 doeiu onsectet "dentsunt" inea animid 2119 "https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" block -10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] "CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit" 10.169.63.169 ariat midestl "quatu" avolu teturad 3465 "https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block -10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] "PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima" 10.62.10.137 eeufugi deomnisi "olupta" oll laboree 3880 "https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] "COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud" 10.255.40.12 rro oeiusmo "nimv" emeu tatemac 5192 "https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" deny -10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] "GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam" tuser 2694 "https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" deny 10.88.98.31 rured 105.243000 -10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] "OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi" 10.1.27.133 edqu tationu "gnaaliq" olore ntutlab 6881 "https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] "POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco" 10.70.244.155 olorsi caboNemo "uptas" temaccus ons 2160 "https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" accept -10.204.214.98 985 [21/Dec/2018:11:20:14 equ] "PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo" 10.121.80.158 boriosa cillumdo "ditau" moenimip uames 7663 "https://internal.example.com/lor/oreeu.html?eturadip=nost#atus" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] "PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu" 10.139.151.19 eumf roquisq "uasi" maveniam uis 5533 "https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] "DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat" 10.242.48.203 ctobeat isi "idexeac" ntu tdolo 3872 "https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" deny -10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] "PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod" 10.254.10.98 adipisc aparia "maliq" ccusant epteurs 6661 "https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca" "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36" accept -10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] "LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr" 10.175.138.42 olore onemul "trudexe" remeum etur 890 "https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] "PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch" 10.18.199.203 ugits ittenb "tobeatae" ntut llum 366 "https://example.com/equat/estiaec.htm?mquido=ende#ntmollit" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] "NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt" 10.73.80.251 pteurs ercitati "atem" serro lumquid 5939 "https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" allow -10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] "PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill" 10.22.34.206 mini mve "tionev" uasiarch velites 1745 "https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" block -10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] "CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt" 10.199.103.185 uipe ipsa "con" eirured sequamn 5243 "https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" allow -10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] "COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab" 10.128.84.27 nula ptate "volupta" umfu utla 2478 "https://www5.example.com/dolo/velites.gif?equa=apari#tsunt" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block -10.49.169.175 2103 [13/May/2019:9:45:57 sistena] "HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines" 10.115.154.104 illum ore "spici" Sedut tatis 7767 "https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow -10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] "PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse" 10.33.112.100 catcup enimad "magnaali" velillum ionev 1594 "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" block -10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] "CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa" 10.25.53.93 tvolup oremeu "lab" lla urau 6127 "https://example.net/equamni/atcupi.htm?onemull=mdo#labore" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] "HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu" 10.246.115.57 edquiano mSecti "henderi" taevitae tevel 5926 "https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] "NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse" 10.82.148.126 inBCSedu ita "ade" nihilmol nder 2214 "https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" block -10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] "DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali" 10.6.11.124 edqui tvolu "psu" strud onsequ 5930 "https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" accept -10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] "CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov" 10.145.25.55 litsed lumd "tiaec" lorem iamquisn 2079 "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] "TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm" 10.6.88.105 uptatemU rem "onorumet" iscivel rinci 249 "https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" allow -10.252.146.132 503 [05/Sep/2019:6:06:31 tat] "CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi" 10.163.9.35 uatDu umq "ipsu" oremip ota 4562 "https://example.com/epteurs/itse.jpg?modi=cip#tla" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] "DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo" 10.235.160.245 squamest upta "umquiad" porinc uameiu 4857 "https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" deny -10.140.170.171 773 [03/Oct/2019:8:11:40 deom] "TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici" 10.73.218.58 quidol tinv "Utenima" nse umq 1831 "https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] "OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu" 10.67.148.40 tcons squamest "ction" emveleum siuta 2155 "https://example.com/epteur/onproi.txt?imveniam=sunte#exerc" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny -10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] "UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa" 10.37.33.179 taed eatae "siutali" oloremq sum 6106 "https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat" "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept -10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] "MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv" 10.84.107.38 tutla usmod "ine" qui itse 2097 "https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny -10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] "POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit" 10.204.223.184 oinve ptasnul "utaliqui" mcorpor rerepr 6861 "https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny -10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] "PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela" 10.229.39.190 Nequepo edictas "emac" rmagnido exeaco 2574 "https://api.example.org/loremi/nven.htm?usan=ugiatn#squa" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny diff --git a/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json b/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json deleted file mode 100644 index 2fd0ffb778a..00000000000 --- a/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json +++ /dev/null @@ -1,904 +0,0 @@ -{ - "expected": [ - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] \"PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite\" 10.234.224.44 etdo tation \"quasiarc\" liqua ciade 5699 \"https://example.net/umq/ntium.gif?nes=eab#aliqu\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] \"PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU\" 10.70.36.222 estlabo doeiu \"nia\" olupt volup 208 \"https://example.com/eosquir/orsi.txt?itessequ=vol#luptat\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] \"OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident\" 10.142.172.64 lupt tia \"oloremqu\" temvel iatu 5493 \"https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] \"GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia\" quiavo 1156 \"https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" allow 10.81.122.126 taev 160.145000", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] \"PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad\" 10.171.175.51 boreet onev \"tenima\" laboreet aquaeabi 5738 \"https://api.example.net/veleumi/tia.gif?ude=maveniam#uian\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] \"HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo\" 10.12.195.60 uiano mrema \"autfu\" natura aboris 2946 \"https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] \"DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt\" 10.207.249.121 iciade tsed \"orai\" mUt usmodte 1296 \"https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.34.9.93 124 [08/May/2016:7:27:59 onse] \"PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio\" 10.116.120.216 qua umdo \"sed\" apariat mol 1510 \"https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] \"HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd\" 10.30.216.41 enim saute \"vel\" quu undeo 5794 \"https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] \"CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup\" 10.203.172.203 idestla Nemoeni \"uradi\" aborumSe luptat 6884 \"https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] \"UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa\" 10.158.185.163 rudexerc aliq \"rsitam\" quam adm 987 \"https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi\" \"Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] \"OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae\" 10.201.76.240 amqu uines \"nsec\" onse emips 2655 \"https://example.net/tion/eataev.htm?uiineavo=tisetq#irati\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] \"COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat\" 10.206.136.206 suntinc xeac \"nidolo\" tatn eli 6462 \"https://www.example.net/pida/nse.html?emeumfu=CSed#lupt\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] \"COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum\" 10.134.161.118 tat ipitla \"quae\" maccusa uptat 3458 \"https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] \"NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat\" 10.76.3.41 isc aturve \"emulla\" mpori aaliquaU 2989 \"https://www5.example.com/ern/psaquae.html?nsectet=utla#utei\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] \"PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali\" 10.249.213.83 nsecte itame \"eumfug\" lit asun 1250 \"https://api.example.com/oluptate/onseq.html?labore=texp#tMalor\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] \"HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre\" 10.236.248.65 pisciv iquidex \"radipisc\" tmo fficiade 3280 \"https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] \"PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali\" 10.214.7.83 liquide etdol \"uela\" boN eprehend 2462 \"https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] \"GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn\" 10.49.92.179 osamn isnisiu \"bore\" tsu tcons 3128 \"https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] \"PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit\" 10.90.86.89 piscin lapar \"laboree\" tfu udan 5516 \"https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] \"PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio\" 10.14.48.16 sintoc volupt \"siste\" uiinea Utenima 1612 \"https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] \"CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure\" 10.93.123.174 evelit reetdolo \"smo\" etcons iusmodi 1563 \"https://example.com/uiac/epte.gif?itam=aper#santiumd\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] \"MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon\" 10.233.48.103 leumiur tlab \"aperiame\" isc ullamcor 584 \"https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.93.220.10 2805 [23/Dec/2016:12:09:07 com] \"PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu\" 10.27.58.92 amvo qui \"tasn\" Nemoenim squirati 63 \"https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] \"PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni\" 10.135.217.12 metMalo ntexplic \"archite\" loreme untu 5676 \"https://example.net/con/nisist.gif?ium=esciuntN#idunt\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] \"PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt\" 10.233.239.112 npr mquelau \"iadolor\" amcol adeser 3780 \"https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] \"CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi\" 10.21.169.127 rpori ice \"oles\" edic seq 2835 \"https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] \"LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge\" 10.69.139.26 ditemp edqui \"nre\" veli volupta 7124 \"https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] \"COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi\" 10.104.80.189 dolore onsecte \"nBCSedut\" ugiat onulam 1542 \"https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] \"UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol\" 10.116.230.217 mvele isis \"uasiar\" utlab emUteni 7122 \"https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] \"ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu\" 10.119.90.128 lor oraincid \"intocc\" amcorp ntsunt 4826 \"https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] \"HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo\" 10.76.110.144 tdol upt \"mex\" tatem untutlab 3386 \"https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] \"MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo\" 10.135.46.242 lupta xeaco \"nvolupt\" oremi elites 1940 \"https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] \"TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri\" 10.154.53.249 tae autodit \"elit\" cidunt plica 7398 \"https://internal.example.org/emqu/nderi.html?accusant=onse#admin\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.93.39.140 4275 [29/May/2017:5:37:24 ute] \"COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc\" 10.150.245.88 orisn reetd \"prehen\" ntutlabo iusmodte 1738 \"https://example.org/isc/Nequepor.txt?rem=idid#tesse\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] \"UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu\" 10.73.207.70 llamco atu \"untincul\" ssecil commodi 3023 \"https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] \"GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac\" temUt 2741 \"https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow 10.50.124.116 numquam 104.719000", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.173.222.131 918 [11/Jul/2017:2:45:07 ori] \"TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil\" 10.211.234.224 uiadol Duisa \"lupta\" aUt boNem 5564 \"https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] \"PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed\" 10.0.157.225 itam atu \"lloin\" remipsum tempor 1282 \"https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] \"PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia\" 10.92.237.93 mad onse \"redol\" gnaa mod 5107 \"https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] \"POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN\" 10.20.28.92 econs ntexpl \"dunt\" litsedq nderiti 409 \"https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] \"NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic\" 10.17.87.79 tetur tionula \"ritqu\" ecatcupi uamei 4595 \"https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] \"DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc\" 10.189.94.51 tetura rsp \"oluptat\" metco acom 5704 \"https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] \"GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco\" 10.101.85.169 natu liquid \"enim\" Finibus radi 5697 \"https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] \"HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi\" 10.231.7.209 lorsita eavol \"osamnis\" temaccu scipitl 1247 \"https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] \"CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv\" 10.77.129.175 tali BCS \"qui\" ugiatquo incidid 2617 \"https://www.example.com/sBonor/fugits.jpg?amc=vol#admi\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.51.236.148 329 [16/Nov/2017:6:08:15 adol] \"PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup\" 10.116.146.114 col obea \"emp\" agnaaliq est 1444 \"https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] \"NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse\" 10.217.222.99 ame amvolu \"mip\" tion tobeatae 2512 \"https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] \"PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis\" 10.150.198.112 ntmoll mexer \"estla\" uipexe abor 1370 \"https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.45.114.111 357 [29/Dec/2017:3:15:58 olup] \"POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab\" 10.45.54.107 seddoeiu nse \"aali\" edictasu mdolors 7490 \"https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] \"TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia\" 10.205.28.24 oeni untutlab \"tvolup\" consecte pteurs 742 \"https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.17.202.219 487 [27/Jan/2018:5:21:06 iame] \"HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni\" 10.183.223.149 cor odoco \"oin\" itseddoe elites 6366 \"https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] \"MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan\" 10.88.172.222 doconse etdol \"dolorsi\" nturmag tura 6695 \"https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau\" \"mobmail android 2.1.3.3150\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] \"OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero\" 10.247.53.179 issu identsu \"piscivel\" hend eacommo 6835 \"https://example.com/osquira/umd.gif?scipi=tur#acon\" \"mobmail android 2.1.3.3150\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] \"UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido\" 10.172.148.223 snulap enimadm \"stenatu\" upta atc 3066 \"https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon\" \"Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] \"GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico\" 10.232.19.43 porinc riame \"riat\" sseq eriam 729 \"https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.207.97.192 973 [08/Apr/2018:4:33:58 emp] \"ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx\" 10.55.55.72 nculp asp \"eacom\" mag gelitse 2007 \"https://example.net/lab/llumq.htm?tetura=rumet#uptasnul\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.41.156.88 203 [22/Apr/2018:11:36:32 oco] \"MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat\" 10.89.73.240 orem ntorever \"pisciv\" fugiatqu seos 5561 \"https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.54.44.231 5292 [07/May/2018:6:39:06 aco] \"CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios\" 10.101.183.86 mvenia mcorpo \"ntexpl\" abor oreverit 6451 \"https://internal.example.net/tat/eufugia.htm?tau=fficia#est\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] \"LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc\" 10.130.150.189 oreeu nvo \"iamqui\" tassita colabori 1223 \"https://www.example.net/lpa/isn.htm?iat=ffic#siuta\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] \"GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup\" 10.83.130.95 ipitlabo userror \"eacommo\" nderi liqua 7030 \"https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] \"COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt\" 10.166.160.217 olor radip \"rchitect\" Dui iameaqu 2429 \"https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] \"UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu\" 10.183.243.246 amni tatio \"amquisno\" modoc magnam 3267 \"https://example.com/idatat/onev.html?lesti=oreseo#reprehen\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] \"OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam\" 10.202.224.209 iusmodit aturv \"ectetura\" obeataev umf 3141 \"https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] \"PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors\" 10.170.234.233 accus uatu \"mquis\" lab uido 2046 \"https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] \"DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic\" 10.142.130.227 olabori odic \"iuta\" liquaUte scivelit 7795 \"https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] \"DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini\" 10.61.110.7 oremque quaU \"ufugi\" cin tmo 508 \"https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] \"COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore\" 10.68.198.188 doeiu onsectet \"dentsunt\" inea animid 2119 \"https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] \"CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit\" 10.169.63.169 ariat midestl \"quatu\" avolu teturad 3465 \"https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] \"PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima\" 10.62.10.137 eeufugi deomnisi \"olupta\" oll laboree 3880 \"https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] \"COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud\" 10.255.40.12 rro oeiusmo \"nimv\" emeu tatemac 5192 \"https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] \"GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam\" tuser 2694 \"https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" deny 10.88.98.31 rured 105.243000", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] \"OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi\" 10.1.27.133 edqu tationu \"gnaaliq\" olore ntutlab 6881 \"https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] \"POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco\" 10.70.244.155 olorsi caboNemo \"uptas\" temaccus ons 2160 \"https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.204.214.98 985 [21/Dec/2018:11:20:14 equ] \"PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo\" 10.121.80.158 boriosa cillumdo \"ditau\" moenimip uames 7663 \"https://internal.example.com/lor/oreeu.html?eturadip=nost#atus\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] \"PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu\" 10.139.151.19 eumf roquisq \"uasi\" maveniam uis 5533 \"https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] \"DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat\" 10.242.48.203 ctobeat isi \"idexeac\" ntu tdolo 3872 \"https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] \"PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod\" 10.254.10.98 adipisc aparia \"maliq\" ccusant epteurs 6661 \"https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca\" \"Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] \"LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr\" 10.175.138.42 olore onemul \"trudexe\" remeum etur 890 \"https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] \"PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch\" 10.18.199.203 ugits ittenb \"tobeatae\" ntut llum 366 \"https://example.com/equat/estiaec.htm?mquido=ende#ntmollit\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] \"NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt\" 10.73.80.251 pteurs ercitati \"atem\" serro lumquid 5939 \"https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] \"PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill\" 10.22.34.206 mini mve \"tionev\" uasiarch velites 1745 \"https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] \"CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt\" 10.199.103.185 uipe ipsa \"con\" eirured sequamn 5243 \"https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] \"COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab\" 10.128.84.27 nula ptate \"volupta\" umfu utla 2478 \"https://www5.example.com/dolo/velites.gif?equa=apari#tsunt\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.49.169.175 2103 [13/May/2019:9:45:57 sistena] \"HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines\" 10.115.154.104 illum ore \"spici\" Sedut tatis 7767 \"https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] \"PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse\" 10.33.112.100 catcup enimad \"magnaali\" velillum ionev 1594 \"https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] \"CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa\" 10.25.53.93 tvolup oremeu \"lab\" lla urau 6127 \"https://example.net/equamni/atcupi.htm?onemull=mdo#labore\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] \"HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu\" 10.246.115.57 edquiano mSecti \"henderi\" taevitae tevel 5926 \"https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] \"NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse\" 10.82.148.126 inBCSedu ita \"ade\" nihilmol nder 2214 \"https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] \"DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali\" 10.6.11.124 edqui tvolu \"psu\" strud onsequ 5930 \"https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] \"CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov\" 10.145.25.55 litsed lumd \"tiaec\" lorem iamquisn 2079 \"https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] \"TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm\" 10.6.88.105 uptatemU rem \"onorumet\" iscivel rinci 249 \"https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" allow", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.252.146.132 503 [05/Sep/2019:6:06:31 tat] \"CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi\" 10.163.9.35 uatDu umq \"ipsu\" oremip ota 4562 \"https://example.com/epteurs/itse.jpg?modi=cip#tla\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] \"DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo\" 10.235.160.245 squamest upta \"umquiad\" porinc uameiu 4857 \"https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.140.170.171 773 [03/Oct/2019:8:11:40 deom] \"TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici\" 10.73.218.58 quidol tinv \"Utenima\" nse umq 1831 \"https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] \"OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu\" 10.67.148.40 tcons squamest \"ction\" emveleum siuta 2155 \"https://example.com/epteur/onproi.txt?imveniam=sunte#exerc\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] \"UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa\" 10.37.33.179 taed eatae \"siutali\" oloremq sum 6106 \"https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat\" \"Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] \"MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv\" 10.84.107.38 tutla usmod \"ine\" qui itse 2097 \"https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] \"POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit\" 10.204.223.184 oinve ptasnul \"utaliqui\" mcorpor rerepr 6861 \"https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.11.0" - }, - "message": "10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] \"PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela\" 10.229.39.190 Nequepo edictas \"emac\" rmagnido exeaco 2574 \"https://api.example.org/loremi/nven.htm?usan=ugiatn#squa\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", - "tags": [ - "preserve_original_event" - ] - } - ] -} \ No newline at end of file diff --git a/packages/squid/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/squid/data_stream/log/_dev/test/system/test-filestream-config.yml new file mode 100644 index 00000000000..273d86181fe --- /dev/null +++ b/packages/squid/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -0,0 +1,9 @@ +service: squid-log-filestream +input: filestream +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/squid-log-*.log" + preserve_original_event: true +assert: + hit_count: 100 diff --git a/packages/squid/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/squid/data_stream/log/_dev/test/system/test-logfile-config.yml deleted file mode 100644 index 6d0dc68455d..00000000000 --- a/packages/squid/data_stream/log/_dev/test/system/test-logfile-config.yml +++ /dev/null @@ -1,6 +0,0 @@ -service: squid-log-logfile -input: logfile -data_stream: - vars: - paths: - - "{{SERVICE_LOGS_DIR}}/squid-log-*.log" diff --git a/packages/squid/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/squid/data_stream/log/_dev/test/system/test-tcp-config.yml index c892dbd2809..62f303810fb 100644 --- a/packages/squid/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/squid/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -5,3 +5,6 @@ data_stream: vars: tcp_host: 0.0.0.0 tcp_port: 9537 + preserve_original_event: true +assert: + hit_count: 100 diff --git a/packages/squid/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/squid/data_stream/log/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..002037ffa8b --- /dev/null +++ b/packages/squid/data_stream/log/_dev/test/system/test-tls-config.yml @@ -0,0 +1,62 @@ +service: squid-log-tls +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + tcp_host: 0.0.0.0 + tcp_port: 9538 + preserve_original_event: true + ssl: | + key: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhCLvLsQAHufsN + U+u1x/CequAUphfXZqLhDo2Eo/holfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU + /Ru8E76Az1egzMwT3TVAPLVU8NbrxBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxS + cD1sa0oikXCJN1a3BSoAf9iiZ/dxz4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg70 + 4vHOeg0rBbIoSNfjDUVZWjwC95K1BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDL + SHWis65p+1AAa5xieYDb47vyJ0SSR7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloIT + Xg9ag1OlAgMBAAECggEAEHfPJmzhj68wjB0kFr13AmWG2Hv/Kqg8KzQhbx+AwkaW + u7j+L70NGpvLZ9VQtLNyhxoz9cksZO1SZO/Q48aeHlcOFppmJN3/U6AdtQWa9M35 + FLLpmX16wjxVHsfvzOvopgLOoYl8PqZt66qDFDgVyMnT7na6RdJ+7GJuvBPXq+Bc + vgThvAZitHSAOhnBFYmTMlBi6AzOMMsaFlgE3Xf9v3M0pAKItPRKMhXlC3MyvA/v + jgbra4Ib+0ryohggHheHB3bn3Jgv7iFKoW9OQSePVxacJ+kfr9H+No5g495URzqR + mx/96WCiv3rAh3ct8Sk/C4/3zMC8fUueDJIVjhgw0QKBgQD8NufLINNkIpBrLoCS + 972oFEjZB2u6EusQ7X9raROqpaw26ZSu+zSHeIKCGQ93M3aRb3FpdGeOxgZ095MV + 8a+nlh4stOvHj2Mm5YhTBDUavTC7o9aVR3Od5eTXUpHnaJpNI/uyIcKupeK1UJnV + UlBLeIwo/vJ1gsVrKMMAJkuKbwKBgQDkaWRRd0w2gUIbCTGf203BqXft0VdIiOW7 + +gnkeaNHAf09XljzxMcQzrB8kG63aKVGbJffphEfzxtiJ+HRQVH+7QpKRhU/GHmu + +6OKkxTcxJm5zhoRFxcSi2wG4PWmUGJvc7ss1OJGcaOUxwocCepO7N/jfdDz9Uke + KnA+YWOdKwKBgQDteZkYlojT0QOgF8HyH5gQyUCqMKWLJ0LzxltiPCbLV4Dml1pq + w5Z7M8nWS1hXiTpLx93GSFc1hFkSCwYP9GfK6Lryp0sVtHnMZvTMDbseuSJImwRx + vDwtYQfugg1lEQWwOoBEAiu3m/PxernNtNprpU57T0nlwUK3GkM5QdWAuwKBgQCZ + ZF3GiANapzupxGbbH//8Cr9LqsafI7CEqMpz8WxBh4h16iJ6sq+tDeFgBe8UpOY5 + gTwNKg1d+0w8guQYD3HtbWr3rlEeamVtqfiOW3ArQqyqJ0tCJuuLvK3zgKf35Qv2 + JRaSaPT8sdxVUcXsRoxgLJu+vwPQke1koMN4YRbwuQKBgQDJiZ/WSeqa5oIqkXbn + hjm7RXKaf2oE1U/bNjdSFtdEP7T4vUvvr7Hq2f/jiBLtCE7w16PJjKx9iIq2+jMl + qIY43Sk9bdi5FxtYTHda0hwrbH274P+QVcVs5PXCT0TGktOleHGBlXaaPrxl9iCh + 8tmmxZZYa5aQxEO/lxB9xQKaiQ== + -----END PRIVATE KEY----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUW5TDu1tJMY2Oa7PsL+BQSmeWqz0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEwMDEwNTAwMjNaFw0yMTEw + MDIwNTAwMjNaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDhCLvLsQAHufsNU+u1x/CequAUphfXZqLhDo2Eo/ho + lfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU/Ru8E76Az1egzMwT3TVAPLVU8Nbr + xBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxScD1sa0oikXCJN1a3BSoAf9iiZ/dx + z4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg704vHOeg0rBbIoSNfjDUVZWjwC95K1 + BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDLSHWis65p+1AAa5xieYDb47vyJ0SS + R7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloITXg9ag1OlAgMBAAGjUzBRMB0GA1Ud + DgQWBBRYUSKDHBBE9Q6fTeTqogicCxcXwDAfBgNVHSMEGDAWgBRYUSKDHBBE9Q6f + TeTqogicCxcXwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc + T8B+GpvPy9NQ700LsywRPY0L9IJCKiu6j3TP1tqqSPjAC/cg9ac+bFXuWOu7V+KJ + s09Q/pItq9SLX6UvnfRzTxu5lCBwwGX9cL131mTIu5SmFo7Eks+sorbiIarWDMoC + e+9An3GFpagW+YhOt4BdIM5lTqoeodzganDBsOUZI9aDAj2Yo5h2O7r6Wd12cb6T + mz8vMfB2eG8BxU20ZMfkdERWjiyXHOSBQqeqfkV8d9370gMu5RcJNcIgnbmTRdho + X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA + qEf55SihFqErRMeURPPF + -----END CERTIFICATE----- +assert: + hit_count: 100 diff --git a/packages/squid/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/squid/data_stream/log/_dev/test/system/test-udp-config.yml index d6665337fdb..e7a914519ea 100644 --- a/packages/squid/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/squid/data_stream/log/_dev/test/system/test-udp-config.yml @@ -5,3 +5,6 @@ data_stream: vars: udp_host: 0.0.0.0 udp_port: 9537 + preserve_original_event: true +assert: + hit_count: 100 diff --git a/packages/squid/data_stream/log/agent/stream/filestream.yml.hbs b/packages/squid/data_stream/log/agent/stream/filestream.yml.hbs new file mode 100644 index 00000000000..be7e13b68f5 --- /dev/null +++ b/packages/squid/data_stream/log/agent/stream/filestream.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +prospector.scanner.exclude_files: ['\.gz$'] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/squid/data_stream/log/agent/stream/stream.yml.hbs b/packages/squid/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100644 index 70754fe7333..00000000000 --- a/packages/squid/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3057 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: ['\.gz$'] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Squid" - product: "Proxy" - type: "Proxies" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hsaddr"), - constant(" "), - field("hsport"), - constant(" ["), - field("fld20"), - constant(" "), - field("fld21"), - constant("] \""), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_time_string"), - constant(" "), - field("hduration"), - constant(" "), - field("hsaddr"), - constant(" "), - field("haction"), - constant("/"), - field("hresultcode"), - constant(" "), - field("hsbytes"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - ]); - - var msg1 = msg("GET", dup15); - - var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var msg2 = msg("GET:02", part1); - - var msg3 = msg("GET:01", dup16); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - ]); - - var msg4 = msg("HEAD", dup15); - - var msg5 = msg("HEAD:01", dup16); - - var select3 = linear_select([ - msg4, - msg5, - ]); - - var msg6 = msg("POST", dup17); - - var msg7 = msg("POST:01", dup18); - - var select4 = linear_select([ - msg6, - msg7, - ]); - - var msg8 = msg("PUT", dup19); - - var msg9 = msg("PUT:01", dup20); - - var select5 = linear_select([ - msg8, - msg9, - ]); - - var msg10 = msg("DELETE", dup19); - - var msg11 = msg("DELETE:01", dup20); - - var select6 = linear_select([ - msg10, - msg11, - ]); - - var msg12 = msg("TRACE", dup19); - - var msg13 = msg("TRACE:01", dup20); - - var select7 = linear_select([ - msg12, - msg13, - ]); - - var msg14 = msg("OPTIONS", dup19); - - var msg15 = msg("OPTIONS:01", dup20); - - var select8 = linear_select([ - msg14, - msg15, - ]); - - var msg16 = msg("CONNECT", dup17); - - var msg17 = msg("CONNECT:01", dup18); - - var select9 = linear_select([ - msg16, - msg17, - ]); - - var msg18 = msg("ICP_QUERY", dup19); - - var msg19 = msg("ICP_QUERY:01", dup20); - - var select10 = linear_select([ - msg18, - msg19, - ]); - - var msg20 = msg("PURGE", dup19); - - var msg21 = msg("PURGE:01", dup20); - - var select11 = linear_select([ - msg20, - msg21, - ]); - - var msg22 = msg("PROPFIND", dup19); - - var msg23 = msg("PROPFIND:01", dup20); - - var select12 = linear_select([ - msg22, - msg23, - ]); - - var msg24 = msg("PROPATCH", dup19); - - var msg25 = msg("PROPATCH:01", dup20); - - var select13 = linear_select([ - msg24, - msg25, - ]); - - var msg26 = msg("MKOL", dup19); - - var msg27 = msg("MKOL:01", dup20); - - var select14 = linear_select([ - msg26, - msg27, - ]); - - var msg28 = msg("COPY", dup19); - - var msg29 = msg("COPY:01", dup20); - - var select15 = linear_select([ - msg28, - msg29, - ]); - - var msg30 = msg("MOVE", dup19); - - var msg31 = msg("MOVE:01", dup20); - - var select16 = linear_select([ - msg30, - msg31, - ]); - - var msg32 = msg("LOCK", dup19); - - var msg33 = msg("LOCK:01", dup20); - - var select17 = linear_select([ - msg32, - msg33, - ]); - - var msg34 = msg("UNLOCK", dup19); - - var msg35 = msg("UNLOCK:01", dup20); - - var select18 = linear_select([ - msg34, - msg35, - ]); - - var msg36 = msg("NONE", dup19); - - var msg37 = msg("NONE:01", dup20); - - var select19 = linear_select([ - msg36, - msg37, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "CONNECT": select9, - "COPY": select15, - "DELETE": select6, - "GET": select2, - "HEAD": select3, - "ICP_QUERY": select10, - "LOCK": select17, - "MKOL": select14, - "MOVE": select16, - "NONE": select19, - "OPTIONS": select8, - "POST": select4, - "PROPATCH": select13, - "PROPFIND": select12, - "PURGE": select11, - "PUT": select5, - "TRACE": select7, - "UNLOCK": select18, - }), - ]); - - var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/squid/data_stream/log/agent/stream/tcp.yml.hbs b/packages/squid/data_stream/log/agent/stream/tcp.yml.hbs index 5e616afc65b..84497a2d00a 100644 --- a/packages/squid/data_stream/log/agent/stream/tcp.yml.hbs +++ b/packages/squid/data_stream/log/agent/stream/tcp.yml.hbs @@ -1,3054 +1,21 @@ -tcp: host: "{{tcp_host}}:{{tcp_port}}" tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} -fields_under_root: true -fields: - observer: - vendor: "Squid" - product: "Proxy" - type: "Proxies" {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} -processors: +{{#if ssl}} +ssl: {{ssl}} +{{/if}} {{#if processors}} +processors: {{processors}} {{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hsaddr"), - constant(" "), - field("hsport"), - constant(" ["), - field("fld20"), - constant(" "), - field("fld21"), - constant("] \""), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_time_string"), - constant(" "), - field("hduration"), - constant(" "), - field("hsaddr"), - constant(" "), - field("haction"), - constant("/"), - field("hresultcode"), - constant(" "), - field("hsbytes"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - ]); - - var msg1 = msg("GET", dup15); - - var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var msg2 = msg("GET:02", part1); - - var msg3 = msg("GET:01", dup16); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - ]); - - var msg4 = msg("HEAD", dup15); - - var msg5 = msg("HEAD:01", dup16); - - var select3 = linear_select([ - msg4, - msg5, - ]); - - var msg6 = msg("POST", dup17); - - var msg7 = msg("POST:01", dup18); - - var select4 = linear_select([ - msg6, - msg7, - ]); - - var msg8 = msg("PUT", dup19); - - var msg9 = msg("PUT:01", dup20); - - var select5 = linear_select([ - msg8, - msg9, - ]); - - var msg10 = msg("DELETE", dup19); - - var msg11 = msg("DELETE:01", dup20); - - var select6 = linear_select([ - msg10, - msg11, - ]); - - var msg12 = msg("TRACE", dup19); - - var msg13 = msg("TRACE:01", dup20); - - var select7 = linear_select([ - msg12, - msg13, - ]); - - var msg14 = msg("OPTIONS", dup19); - - var msg15 = msg("OPTIONS:01", dup20); - - var select8 = linear_select([ - msg14, - msg15, - ]); - - var msg16 = msg("CONNECT", dup17); - - var msg17 = msg("CONNECT:01", dup18); - - var select9 = linear_select([ - msg16, - msg17, - ]); - - var msg18 = msg("ICP_QUERY", dup19); - - var msg19 = msg("ICP_QUERY:01", dup20); - - var select10 = linear_select([ - msg18, - msg19, - ]); - - var msg20 = msg("PURGE", dup19); - - var msg21 = msg("PURGE:01", dup20); - - var select11 = linear_select([ - msg20, - msg21, - ]); - - var msg22 = msg("PROPFIND", dup19); - - var msg23 = msg("PROPFIND:01", dup20); - - var select12 = linear_select([ - msg22, - msg23, - ]); - - var msg24 = msg("PROPATCH", dup19); - - var msg25 = msg("PROPATCH:01", dup20); - - var select13 = linear_select([ - msg24, - msg25, - ]); - - var msg26 = msg("MKOL", dup19); - - var msg27 = msg("MKOL:01", dup20); - - var select14 = linear_select([ - msg26, - msg27, - ]); - - var msg28 = msg("COPY", dup19); - - var msg29 = msg("COPY:01", dup20); - - var select15 = linear_select([ - msg28, - msg29, - ]); - - var msg30 = msg("MOVE", dup19); - - var msg31 = msg("MOVE:01", dup20); - - var select16 = linear_select([ - msg30, - msg31, - ]); - - var msg32 = msg("LOCK", dup19); - - var msg33 = msg("LOCK:01", dup20); - - var select17 = linear_select([ - msg32, - msg33, - ]); - - var msg34 = msg("UNLOCK", dup19); - - var msg35 = msg("UNLOCK:01", dup20); - - var select18 = linear_select([ - msg34, - msg35, - ]); - - var msg36 = msg("NONE", dup19); - - var msg37 = msg("NONE:01", dup20); - - var select19 = linear_select([ - msg36, - msg37, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "CONNECT": select9, - "COPY": select15, - "DELETE": select6, - "GET": select2, - "HEAD": select3, - "ICP_QUERY": select10, - "LOCK": select17, - "MKOL": select14, - "MOVE": select16, - "NONE": select19, - "OPTIONS": select8, - "POST": select4, - "PROPATCH": select13, - "PROPFIND": select12, - "PURGE": select11, - "PUT": select5, - "TRACE": select7, - "UNLOCK": select18, - }), - ]); - - var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/squid/data_stream/log/agent/stream/udp.yml.hbs b/packages/squid/data_stream/log/agent/stream/udp.yml.hbs index 0a5ca79288c..4c5681708ad 100644 --- a/packages/squid/data_stream/log/agent/stream/udp.yml.hbs +++ b/packages/squid/data_stream/log/agent/stream/udp.yml.hbs @@ -1,3054 +1,18 @@ -udp: host: "{{udp_host}}:{{udp_port}}" tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} -fields_under_root: true -fields: - observer: - vendor: "Squid" - product: "Proxy" - type: "Proxies" {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} -processors: {{#if processors}} +processors: {{processors}} {{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hsaddr"), - constant(" "), - field("hsport"), - constant(" ["), - field("fld20"), - constant(" "), - field("fld21"), - constant("] \""), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_time_string"), - constant(" "), - field("hduration"), - constant(" "), - field("hsaddr"), - constant(" "), - field("haction"), - constant("/"), - field("hresultcode"), - constant(" "), - field("hsbytes"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - ]); - - var msg1 = msg("GET", dup15); - - var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var msg2 = msg("GET:02", part1); - - var msg3 = msg("GET:01", dup16); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - ]); - - var msg4 = msg("HEAD", dup15); - - var msg5 = msg("HEAD:01", dup16); - - var select3 = linear_select([ - msg4, - msg5, - ]); - - var msg6 = msg("POST", dup17); - - var msg7 = msg("POST:01", dup18); - - var select4 = linear_select([ - msg6, - msg7, - ]); - - var msg8 = msg("PUT", dup19); - - var msg9 = msg("PUT:01", dup20); - - var select5 = linear_select([ - msg8, - msg9, - ]); - - var msg10 = msg("DELETE", dup19); - - var msg11 = msg("DELETE:01", dup20); - - var select6 = linear_select([ - msg10, - msg11, - ]); - - var msg12 = msg("TRACE", dup19); - - var msg13 = msg("TRACE:01", dup20); - - var select7 = linear_select([ - msg12, - msg13, - ]); - - var msg14 = msg("OPTIONS", dup19); - - var msg15 = msg("OPTIONS:01", dup20); - - var select8 = linear_select([ - msg14, - msg15, - ]); - - var msg16 = msg("CONNECT", dup17); - - var msg17 = msg("CONNECT:01", dup18); - - var select9 = linear_select([ - msg16, - msg17, - ]); - - var msg18 = msg("ICP_QUERY", dup19); - - var msg19 = msg("ICP_QUERY:01", dup20); - - var select10 = linear_select([ - msg18, - msg19, - ]); - - var msg20 = msg("PURGE", dup19); - - var msg21 = msg("PURGE:01", dup20); - - var select11 = linear_select([ - msg20, - msg21, - ]); - - var msg22 = msg("PROPFIND", dup19); - - var msg23 = msg("PROPFIND:01", dup20); - - var select12 = linear_select([ - msg22, - msg23, - ]); - - var msg24 = msg("PROPATCH", dup19); - - var msg25 = msg("PROPATCH:01", dup20); - - var select13 = linear_select([ - msg24, - msg25, - ]); - - var msg26 = msg("MKOL", dup19); - - var msg27 = msg("MKOL:01", dup20); - - var select14 = linear_select([ - msg26, - msg27, - ]); - - var msg28 = msg("COPY", dup19); - - var msg29 = msg("COPY:01", dup20); - - var select15 = linear_select([ - msg28, - msg29, - ]); - - var msg30 = msg("MOVE", dup19); - - var msg31 = msg("MOVE:01", dup20); - - var select16 = linear_select([ - msg30, - msg31, - ]); - - var msg32 = msg("LOCK", dup19); - - var msg33 = msg("LOCK:01", dup20); - - var select17 = linear_select([ - msg32, - msg33, - ]); - - var msg34 = msg("UNLOCK", dup19); - - var msg35 = msg("UNLOCK:01", dup20); - - var select18 = linear_select([ - msg34, - msg35, - ]); - - var msg36 = msg("NONE", dup19); - - var msg37 = msg("NONE:01", dup20); - - var select19 = linear_select([ - msg36, - msg37, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "CONNECT": select9, - "COPY": select15, - "DELETE": select6, - "GET": select2, - "HEAD": select3, - "ICP_QUERY": select10, - "LOCK": select17, - "MKOL": select14, - "MOVE": select16, - "NONE": select19, - "OPTIONS": select8, - "POST": select4, - "PROPATCH": select13, - "PROPFIND": select12, - "PURGE": select11, - "PUT": select5, - "TRACE": select7, - "UNLOCK": select18, - }), - ]); - - var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - - var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - ])); - - var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ +{{#if udp_options}} +{{udp_options}} +{{/if}} diff --git a/packages/squid/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/squid/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 3672fb82d0e..f0b17066b1a 100644 --- a/packages/squid/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/squid/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1,71 +1,170 @@ --- -description: Pipeline for Squid - +description: Pipeline for processing Squid logs. processors: - set: field: ecs.version value: '8.11.0' - # User agent - - user_agent: - field: user_agent.original + - set: + field: event.original + copy_from: message + - remove: + field: message + - set: + field: observer.vendor + value: Squid + - set: + field: observer.product + value: Squid + - set: + field: observer.type + value: proxy + - set: + field: event.kind + value: event + - set: + field: event.category + value: [web] + - set: + field: event.type + value: [access] + + - grok: + tag: grok_message + field: event.original + patterns: + - '^%{NUMBER:_tmp.time_s:long}\.%{NUMBER:_tmp.time_ms:long}%{SPACE}%{NUMBER:_tmp.elapsed:long} %{NOTSPACE:_tmp.source_ip} %{NOTSLASH:_tmp.code}/%{NOTSPACE:_tmp.status:long} %{NUMBER:_tmp.destination_bytes:long} %{NOTSPACE:_tmp.method} %{NOTSPACE:_tmp.url} %{NOTSPACE:_tmp.user_name} %{NOTSLASH:_tmp.peer_status}/%{NOTSPACE:_tmp.peer_host} %{NOTSPACE:_tmp.content_type}$' + pattern_definitions: + NOTSLASH: '[^/]+' + NOTBRACKET: '[^\[\]]+' + NUMBER: '[0-9]+' + + - script: + tag: remove_empty_fields + lang: painless + source: >- + ctx._tmp?.values().removeIf(value -> value == "-"); + + - script: + tag: compute_timestamp + lang: painless + if: ctx._tmp?.time_s instanceof Number && ctx._tmp?.time_ms instanceof Number + source: >- + ctx["@timestamp"] = new Date(ctx._tmp.time_s * 1000 + ctx._tmp.time_ms); + - script: + tag: compute_elapsed + lang: painless + if: ctx._tmp?.elapsed instanceof Number + source: >- + ctx.event["duration"] = ctx._tmp.elapsed * 1000000; + + - rename: + tag: move_user_name + field: _tmp.user_name + target_field: source.user.name ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo + - append: + tag: append_related_source_user + field: related.user + value: '{{{source.user.name}}}' + allow_duplicates: false + if: ctx.source?.user?.name != null + + - convert: + tag: convert_source_ip + field: _tmp.source_ip + type: ip + target_field: source.ip ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo + - set: + tag: set_source_address + field: source.address + copy_from: source.ip + ignore_empty_value: true + - append: + tag: append_related_source_ip + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + + - rename: + tag: move_destination_bytes + field: _tmp.destination_bytes + target_field: destination.bytes ignore_missing: true + - set: + tag: set_http_request_body_bytes + field: http.request.body.bytes + copy_from: destination.bytes + ignore_empty_value: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name + - rename: + tag: move_http_method + field: _tmp.method + target_field: http.request.method + ignore_missing: true + - uri_parts: + tag: uri_parts + field: _tmp.url + if: ctx.http?.request?.method != 'CONNECT' ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name + - rename: + tag: move_connect_hostport + field: _tmp.url + target_field: url.original + if: ctx._tmp?.url != null && ctx.http?.request?.method == 'CONNECT' + - set: + tag: set_destination_address + field: destination.address + copy_from: url.domain + ignore_empty_value: true + + - set: + tag: set_event_outcome_success + field: event.outcome + value: success + if: ctx._tmp?.status instanceof Number && ctx._tmp.status < 400 + - set: + tag: set_event_outcome_failure + field: event.outcome + value: failure + if: ctx._tmp?.status instanceof Number && ctx._tmp.status >= 400 + - rename: + tag: move_status_code + field: _tmp.status + target_field: squid.status_code ignore_missing: true + - rename: - field: source.as.asn - target_field: source.as.number + tag: move_result_code + field: _tmp.code + target_field: squid.result_code ignore_missing: true - rename: - field: source.as.organization_name - target_field: source.as.organization.name + tag: move_peer_status + field: _tmp.peer_status + target_field: squid.peer_status ignore_missing: true - rename: - field: destination.as.asn - target_field: destination.as.number + tag: move_content_type + field: _tmp.content_type + target_field: squid.content_type ignore_missing: true - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name + tag: move_peer_host + field: _tmp.peer_host + target_field: squid.peer_host ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' + - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true + field: + - _tmp ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/squid/data_stream/log/fields/base-fields.yml b/packages/squid/data_stream/log/fields/base-fields.yml index c25d7cae586..2910f4f0231 100644 --- a/packages/squid/data_stream/log/fields/base-fields.yml +++ b/packages/squid/data_stream/log/fields/base-fields.yml @@ -36,3 +36,27 @@ - name: log.offset description: Offset of the entry in the log file. type: long +- name: '@timestamp' + type: date + description: Event timestamp. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/squid/data_stream/log/fields/ecs.yml b/packages/squid/data_stream/log/fields/ecs.yml deleted file mode 100644 index 979dfd694dd..00000000000 --- a/packages/squid/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,258 +0,0 @@ -- external: ecs - name: '@timestamp' -- external: ecs - name: client.domain -- external: ecs - name: client.registered_domain -- external: ecs - name: client.subdomain -- external: ecs - name: client.top_level_domain -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: destination.mac -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port -- external: ecs - name: destination.port -- external: ecs - name: destination.registered_domain -- external: ecs - name: destination.subdomain -- external: ecs - name: destination.top_level_domain -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.type -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.question.type -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: file.attributes -- external: ecs - name: file.directory -- external: ecs - name: file.extension -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.type -- external: ecs - name: geo.city_name -- external: ecs - name: geo.country_name -- external: ecs - name: geo.name -- external: ecs - name: geo.region_name -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: http.request.body.bytes -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: log.level -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: message -- external: ecs - name: network.application -- external: ecs - name: network.bytes -- external: ecs - name: network.direction -- external: ecs - name: network.forwarded_ip -- external: ecs - name: network.packets -- external: ecs - name: network.protocol -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: process.name -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.title -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.title -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.name -- external: ecs - name: server.domain -- external: ecs - name: server.registered_domain -- external: ecs - name: server.subdomain -- external: ecs - name: server.top_level_domain -- external: ecs - name: service.name -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.port -- external: ecs - name: source.registered_domain -- external: ecs - name: source.subdomain -- external: ecs - name: source.top_level_domain -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.domain -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.family -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.kernel -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.platform -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/squid/data_stream/log/fields/fields.yml b/packages/squid/data_stream/log/fields/fields.yml index ea69cd79e3c..dee6c68135e 100644 --- a/packages/squid/data_stream/log/fields/fields.yml +++ b/packages/squid/data_stream/log/fields/fields.yml @@ -1,1754 +1,18 @@ -- name: rsa +- name: squid type: group fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword + - name: peer_status + type: keyword + description: A code explaining how the request was handled, by forwarding it to a peer or going straight to the source. + - name: peer_host + type: keyword + description: Hostname or IP address where, in the event of a cache miss, the request was forwarded. + - name: result_code + type: keyword + description: The outcome of the request. + - name: status_code + type: long + description: The status of the result. + - name: content_type + type: keyword + description: The content type as seen in the HTTP reply header. diff --git a/packages/squid/data_stream/log/manifest.yml b/packages/squid/data_stream/log/manifest.yml index 4174c3e84f3..054f1037315 100644 --- a/packages/squid/data_stream/log/manifest.yml +++ b/packages/squid/data_stream/log/manifest.yml @@ -1,10 +1,9 @@ title: Squid logs -release: experimental type: logs streams: - input: udp title: Squid logs - description: Collect Squid logs + description: Collect Squid logs using the UDP input template_path: udp.yml.hbs vars: - name: tags @@ -30,30 +29,6 @@ streams: required: true show_user: true default: 9537 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - name: preserve_original_event required: true show_user: true @@ -62,6 +37,17 @@ streams: type: bool multi: false default: false + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + description: Specify custom configuration options for the UDP input. See [UDP input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-udp.html) for details. + default: | + #read_buffer: 100MiB + #max_message_size: 50KiB + #timeout: 300s - name: processors type: yaml title: Processors @@ -73,7 +59,7 @@ streams: - input: tcp title: Squid logs - description: Collect Squid logs + description: Collect Squid logs using the TCP input template_path: tcp.yml.hbs vars: - name: tags @@ -99,30 +85,6 @@ streams: required: true show_user: true default: 9537 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - name: preserve_original_event required: true show_user: true @@ -139,11 +101,31 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: |- + #certificate: "/etc/server/cert.pem" + #key: "/etc/server/key.pem" + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: |- + # max_message_size: 50KiB + description: Specify custom configuration options for the TCP input. See [TCP input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile + - input: filestream + template_path: filestream.yml.hbs + title: Squid logs (filestream) + description: Collect Squid logs using the filestream input enabled: false - title: Squid logs - description: Collect Squid logs from file vars: - name: paths type: text @@ -162,30 +144,6 @@ streams: default: - squid-log - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - name: preserve_original_event required: true show_user: true diff --git a/packages/squid/data_stream/log/sample_event.json b/packages/squid/data_stream/log/sample_event.json index 892678dde6b..750b46a8ae3 100644 --- a/packages/squid/data_stream/log/sample_event.json +++ b/packages/squid/data_stream/log/sample_event.json @@ -1,116 +1,94 @@ { - "@timestamp": "2006-09-08T04:21:52.000Z", + "@timestamp": "2006-09-08T04:21:52.049Z", "agent": { - "ephemeral_id": "724f1b11-a938-4b3f-a226-3a713e999bf2", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", + "ephemeral_id": "d2fe5a60-2c7f-4a2b-9c91-a88abd26c2d1", + "id": "2b35d07e-645d-4dd4-b6de-d2964870586d", + "name": "elastic-agent-68860", "type": "filebeat", - "version": "8.0.0" + "version": "8.15.0" }, "data_stream": { "dataset": "squid.log", - "namespace": "ep", + "namespace": "42631", "type": "logs" }, "destination": { - "ip": [ - "209.73.177.115" - ] + "bytes": 19763 }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" + "id": "2b35d07e-645d-4dd4-b6de-d2964870586d", + "snapshot": false, + "version": "8.15.0" }, "event": { - "action": "TCP_MISS", "agent_id_status": "verified", - "code": "CONNECT", + "category": [ + "web" + ], "dataset": "squid.log", - "ingested": "2022-01-25T13:03:46Z", - "timezone": "+00:00" + "duration": 5006000000, + "ingested": "2024-08-27T12:22:15Z", + "kind": "event", + "original": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 19763 + }, + "method": "CONNECT" + } }, "input": { - "type": "udp" + "type": "filestream" }, "log": { - "source": { - "address": "172.30.0.4:52551" - } + "file": { + "device_id": "35", + "inode": "87", + "path": "/tmp/service_logs/squid-log-access.log" + }, + "offset": 0 }, "observer": { - "product": "Proxy", - "type": "Proxies", + "product": "Squid", + "type": "proxy", "vendor": "Squid" }, "related": { - "hosts": [ - "login.yahoo.com" - ], "ip": [ - "10.105.21.199", - "209.73.177.115" + "10.105.21.199" ], "user": [ "badeyek" ] }, - "rsa": { - "internal": { - "hcode": "DIRECT", - "messageid": "CONNECT" - }, - "investigations": { - "ec_subject": "NetworkComm", - "ec_theme": "ALM" - }, - "misc": { - "action": [ - "CONNECT", - "TCP_MISS" - ], - "content_type": "-\n", - "result_code": "200" - }, - "network": { - "domain": "login.yahoo.com" - }, - "time": { - "duration_time": 5006, - "event_time": "2006-09-08T04:21:52.000Z", - "event_time_str": "1157689312" - }, - "web": { - "alias_host": "login.yahoo.com" + "source": { + "address": "10.105.21.199", + "ip": "10.105.21.199", + "user": { + "name": "badeyek" } }, - "server": { - "domain": "login.yahoo.com", - "registered_domain": "yahoo.com", - "subdomain": "login", - "top_level_domain": "com" - }, - "source": { - "bytes": 19763, - "ip": [ - "10.105.21.199" - ] + "squid": { + "peer_host": "209.73.177.115", + "peer_status": "DIRECT", + "result_code": "TCP_MISS", + "status_code": 200 }, "tags": [ + "preserve_original_event", "squid-log", "forwarded" ], "url": { - "domain": "login.yahoo.com", - "original": "login.yahoo.com:443", - "registered_domain": "yahoo.com", - "subdomain": "login", - "top_level_domain": "com" - }, - "user": { - "name": "badeyek" + "original": "login.yahoo.com:443" } } \ No newline at end of file diff --git a/packages/squid/docs/README.md b/packages/squid/docs/README.md index c4c5a4aaa91..c2df20db368 100644 --- a/packages/squid/docs/README.md +++ b/packages/squid/docs/README.md @@ -12,830 +12,26 @@ The `log` dataset collects Squid logs. | Field | Description | Type | |---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| @timestamp | Event timestamp. | date | | container.id | Unique container id. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | +| squid.content_type | The content type as seen in the HTTP reply header. | keyword | +| squid.peer_host | Hostname or IP address where, in the event of a cache miss, the request was forwarded. | keyword | +| squid.peer_status | A code explaining how the request was handled, by forwarding it to a peer or going straight to the source. | keyword | +| squid.result_code | The outcome of the request. | keyword | +| squid.status_code | The status of the result. | long | diff --git a/packages/squid/img/squid-logo.png b/packages/squid/img/squid-logo.png new file mode 100644 index 00000000000..3c9b811afc4 Binary files /dev/null and b/packages/squid/img/squid-logo.png differ diff --git a/packages/squid/manifest.yml b/packages/squid/manifest.yml index fa112a5bae5..8a92f9fadfe 100644 --- a/packages/squid/manifest.yml +++ b/packages/squid/manifest.yml @@ -1,12 +1,24 @@ -format_version: 2.7.0 +format_version: 3.2.1 name: squid -title: Squid Logs -version: "0.19.3" +title: Squid Proxy +version: "0.20.0" description: Collect and parse logs from Squid devices with Elastic Agent. -categories: ["security", "network", "proxy_security"] +categories: + - network + - security + - proxy_security + - web type: integration conditions: - kibana.version: "^7.14.1 || ^8.0.0" + kibana: + version: "^8.14.1" + elastic: + subscription: "basic" +icons: + - src: /img/squid-logo.png + title: Squid Logo + size: 160x160 + type: image/svg+xml policy_templates: - name: log title: Squid @@ -18,8 +30,9 @@ policy_templates: - type: tcp title: Collect logs from Squid via TCP description: Collecting syslog from Squid via TCP - - type: logfile - title: Collect logs from Squid via file - description: Collecting syslog from Squid via file. + - type: filestream + title: Collect logs from Squid via filestream + description: Collecting syslog from Squid via filestream owner: github: elastic/sec-deployment-and-devices + type: elastic diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index cd61bec12c0..3e854debcbf 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.60.3" + changes: + - description: Fix broken query on Users Renamed + type: bugfix + link: https://github.com/elastic/integrations/pull/10698 - version: "1.60.2" changes: - description: Add windows.forward where it was missing on visualizations and searches. diff --git a/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json index c83f459bd5c..ebf5b380044 100644 --- a/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ b/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json @@ -4193,7 +4193,7 @@ "dataType": "number", "filter": { "language": "kuery", - "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.forwarded) AND event.code: \"4781\"" + "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.forwarded) AND event.code: \"4781\")" }, "isBucketed": false, "label": "Users Renamed", diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 1c7b43175d5..eab76b34d10 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: system title: System -version: "1.60.2" +version: "1.60.3" description: Collect system logs and metrics from your servers with Elastic Agent. type: integration categories: diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml index d20bfde9563..a95bf6b1b5c 100644 --- a/packages/ti_crowdstrike/changelog.yml +++ b/packages/ti_crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.4" + changes: + - description: Fix max() calculation on empty resources leading to error. + type: bugfix + link: https://github.com/elastic/integrations/pull/10861 - version: "1.1.3" changes: - description: Fix ECS date mapping on threat fields. diff --git a/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs b/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs index 656bd5a5ea7..0ed27dfded0 100644 --- a/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs +++ b/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs @@ -57,7 +57,7 @@ program: | "initial_interval": state.initial_interval, "next_url": "Next-Page" in resp.Header ? resp.Header["Next-Page"] : "", "cursor": { - ?"last_timestamp": has(body.resources) ? + ?"last_timestamp": has(body.resources) && body.resources.size() > 0 ? optional.of(([?state.?cursor.last_timestamp] + body.resources.map(e, e.last_updated)).max()) : state.?cursor.last_timestamp, diff --git a/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs b/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs index f761f9ef206..aa5c4e5e822 100644 --- a/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs +++ b/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs @@ -66,7 +66,7 @@ program: | "batch_size": state.batch_size, "initial_interval": state.initial_interval, "cursor": { - ?"last_timestamp": has(body.resources) ? + ?"last_timestamp": has(body.resources) && body.resources.size() > 0 ? optional.of(([?state.?cursor.last_timestamp] + body.resources.map(e, e.modified_on)).map(t, timestamp(t)).max()) : state.?cursor.last_timestamp, diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml index 9292febf9a9..45d92b8639f 100644 --- a/packages/ti_crowdstrike/manifest.yml +++ b/packages/ti_crowdstrike/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_crowdstrike title: CrowdStrike Falcon Intelligence -version: "1.1.3" +version: "1.1.4" description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. type: integration categories: diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md index a5da2d56efc..f59fd24f039 100644 --- a/packages/wiz/_dev/build/docs/README.md +++ b/packages/wiz/_dev/build/docs/README.md @@ -1,6 +1,6 @@ # Wiz -Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security, including issues, vulnerability data and audit events, providing you with visibility and context for your cloud environments within Elastic Security. +Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security, including issues, vulnerability data, cloud configuration findings and audit events, providing you with visibility and context for your cloud environments within Elastic Security. ## Data streams @@ -48,6 +48,7 @@ This module has been tested against the **Wiz API Version v1**. | Audit | admin:audit | | Issue | read:issues | | Vulnerability | read:vulnerabilities | + | Cloud Configuration Finding | read:cloud_configuration | ### To obtain the Wiz URL 1. Navigate to your user profile and copy the API Endpoint URL. @@ -86,6 +87,16 @@ This is the `Audit` dataset. {{fields "audit"}} +### Cloud Configuration Finding + +This is the `Cloud Configuration Finding` dataset. + +#### Example + +{{event "cloud_configuration_finding"}} + +{{fields "cloud_configuration_finding"}} + ### Issue This is the `Issue` dataset. diff --git a/packages/wiz/_dev/deploy/docker/docker-compose.yml b/packages/wiz/_dev/deploy/docker/docker-compose.yml index 0c05cc92439..fd0fe808af1 100644 --- a/packages/wiz/_dev/deploy/docker/docker-compose.yml +++ b/packages/wiz/_dev/deploy/docker/docker-compose.yml @@ -13,6 +13,19 @@ services: - http-server - --addr=:8090 - --config=/files/config-audit.yml + wiz-cloud_configuration_finding: + image: docker.elastic.co/observability/stream:v0.15.0 + hostname: wiz-cloud_configuration_finding + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config-cloud_configuration_finding.yml wiz-issue: image: docker.elastic.co/observability/stream:v0.15.0 hostname: wiz-issue diff --git a/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding.yml b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding.yml new file mode 100644 index 00000000000..008793fc332 --- /dev/null +++ b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding.yml @@ -0,0 +1,36 @@ +rules: + - path: /oauth/token + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: | + {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer","refresh_token":"yyyy"} + - path: /graphql + methods: ['POST'] + request_headers: + Authorization: + - 'Bearer xxxx' + request_body: /.*"after":null.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} + - path: /graphql + methods: ['POST'] + request_headers: + Authorization: + - 'Bearer xxxx' + request_body: /.*"after":"eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19".*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}}],"pageInfo": {"hasNextPage": false,"endCursor": "eMJmaWVsZIkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 7a066f61144..f1337cb5814 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.7.0" + changes: + - description: Improve support for CDR in vulnerability data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/10892 +- version: "1.6.0" + changes: + - description: Add cloud_configuration_finding data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/10790 - version: "1.5.0" changes: - description: Add type field for issue datastream diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log new file mode 100644 index 00000000000..24e72b8acac --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log @@ -0,0 +1,4 @@ +{"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","shortId":"Pod-32","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} +{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json new file mode 100644 index 00000000000..f7964384bc7 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json @@ -0,0 +1,338 @@ +{ + "expected": [ + { + "@timestamp": "2023-06-12T11:38:07.900Z", + "cloud": { + "account": { + "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "kind": "state", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "sub_type": "Pod", + "type": "POD" + }, + "result": { + "evaluation": "FAILED" + }, + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "Pod-32", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "resource": { + "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "native_type": "Pod", + "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "subscription": { + "cloud_provider": "Azure", + "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "type": "POD" + }, + "result": "FAIL", + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "73553de7-f2ad-4ffb-b425-c69815033530", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "short_id": "Pod-32" + } + } + } + }, + { + "@timestamp": "2024-08-07T12:55:52.012Z", + "cloud": { + "account": { + "id": "998231069301", + "name": "wiz-integrations" + }, + "provider": "aws", + "service": { + "name": "eks" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"cloudPlatform\":\"EKS\",\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n>**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\n```\\n>**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "message": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user", + "sub_type": "rootUser", + "type": "USER_ACCOUNT" + }, + "result": { + "evaluation": "PASSED" + }, + "rule": { + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "IAM-006", + "name": "Root account access keys should not exist", + "remediation": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "uuid": "563ed717-4fb6-47fd-929e-9c794e201d0a" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user" + }, + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "resource": { + "cloud_platform": "EKS", + "id": "f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea", + "name": "Root user", + "native_type": "rootUser", + "provider_id": "arn:aws:iam::998231069301:root", + "subscription": { + "cloud_provider": "AWS", + "external_id": "998231069301", + "name": "wiz-integrations" + }, + "type": "USER_ACCOUNT" + }, + "result": "PASS", + "rule": { + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "563ed717-4fb6-47fd-929e-9c794e201d0a", + "name": "Root account access keys should not exist", + "remediation_instructions": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "short_id": "IAM-006" + } + } + } + }, + { + "@timestamp": "2024-08-15T11:41:17.517Z", + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-vm\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\",\"evidence\":{\"cloudConfigurationLink\":\"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing\",\"configurationPath\":null,\"currentValue\":\"The VM is stopped(allocated) since 2024-08-15\",\"expectedValue\":\"The VM should be used or deallocated\"}}", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "message": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "name": "annam-vm", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "PASSED", + "evidence": { + "cloud_configuration_link": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "current_value": "The VM is stopped(allocated) since 2024-08-15", + "expected_value": "The VM should be used or deallocated" + } + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "reference": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "references": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "evidence": { + "cloud_configuration_link": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "current_value": "The VM is stopped(allocated) since 2024-08-15", + "expected_value": "The VM should be used or deallocated" + }, + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-vm", + "native_type": "Microsoft.Compute/virtualMachines", + "provider_id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "PASS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + }, + { + "@timestamp": "2024-08-15T11:41:17.517Z", + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "message": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "UNKNOWN" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "provider_id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-common-config.yml b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/system/test-default-config.yml b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..ef68501c21c --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: cel +service: wiz-cloud_configuration_finding +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx + token_url: http://{{Hostname}}:{{Port}}/oauth/token +data_stream: + vars: + interval: 10s + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..c70685c6df1 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs @@ -0,0 +1,169 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} + endpoint_params: + grant_type: client_credentials + audience: wiz-api +redact: + fields: ~ +state: + initial_interval: {{initial_interval}} + want_more: false + batch_size: {{batch_size}} + query: >- + query CloudConfigurationFindingsPage($filterBy: ConfigurationFindingFilters $first: Int $after: String $orderBy: ConfigurationFindingOrder){ + configurationFindings(filterBy: $filterBy first: $first after: $after orderBy: $orderBy) { + nodes { + id + analyzedAt + severity + result + remediation + resource { + id + providerId + name + nativeType + type + region + cloudPlatform + subscription { + id + name + externalId + cloudProvider + } + tags { + key + value + } + } + rule { + id + shortId + name + description + remediationInstructions + } + evidence { + currentValue + expectedValue + configurationPath + cloudConfigurationLink + } + } + pageInfo { + hasNextPage + endCursor + } + } + } +program: | + state.with( + post_request( + state.url.trim_right("/") + "/graphql", + "application/json", + { + "query": state.query, + "variables": { + "first": state.batch_size, + "after": state.?end_cursor.value.orValue(null), + "filterBy": { + "analyzedAt": { + "after": state.want_more ? + state.?cursor.first_timestamp.orValue(null) + : + state.?cursor.last_timestamp.orValue(string(now() - duration(state.initial_interval))) + } + } + } + }.encode_json() + ).do_request().as(resp, resp.StatusCode == 200 ? + bytes(resp.Body).decode_json().as(body, has(body.?data.configurationFindings.nodes) ? + { + "events": body.data.configurationFindings.nodes.map(e, { + "message": e.encode_json(), + }), + "cursor": { + ?"last_timestamp": body.data.configurationFindings.nodes.size() > 0 ? + optional.of(body.data.configurationFindings.nodes.map(e, timestamp(e.analyzedAt)).max().as(last, + has(state.?cursor.last_timestamp) && last < timestamp(state.cursor.last_timestamp) ? + state.cursor.last_timestamp + : + string(last) + )) + : + state.?cursor.last_timestamp, + ?"first_timestamp": !has(body.data) || state.?cursor.first_timestamp.orValue(null) == null ? + optional.of(string(now() - duration(state.initial_interval))) + : body.data.configurationFindings.pageInfo.hasNextPage ? + state.?cursor.first_timestamp + : + state.?cursor.last_timestamp, + }, + "end_cursor": { + ?"value": body.?data.configurationFindings.pageInfo.hasNextPage.orValue(false) ? + body.?data.configurationFindings.pageInfo.endCursor + : + optional.none() + }, + "want_more": body.?data.configurationFindings.pageInfo.hasNextPage.orValue(false), + } + : + { + "events": [], + "want_more": false, + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST:"+( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..db1c75dfdce --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,397 @@ +--- +description: Pipeline for processing Cloud Configuration Finding logs +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: '8.11.0' + - rename: + field: message + tag: rename_message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.' + - remove: + field: message + tag: remove_message + ignore_missing: true + if: ctx.event?.original != null + description: 'The `message` field is no longer required if the document has an `event.original` field.' + - json: + field: event.original + tag: json_decoding + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: observer.vendor + tag: set_observer_vendor + value: 'Wiz' + - rename: + field: json.resource.subscription.cloudProvider + tag: rename_cloudProvider + target_field: wiz.cloud_configuration_finding.resource.subscription.cloud_provider + ignore_missing: true + - lowercase: + field: wiz.cloud_configuration_finding.resource.subscription.cloud_provider + target_field: cloud.provider + tag: set_cloud_provider_lowercase + ignore_missing: true + - rename: + field: json.resource.subscription.externalId + tag: rename_subscription_externalId + target_field: wiz.cloud_configuration_finding.resource.subscription.external_id + ignore_missing: true + - set: + field: cloud.account.id + tag: set_cloud_account_id + copy_from: wiz.cloud_configuration_finding.resource.subscription.external_id + ignore_empty_value: true + - rename: + field: json.resource.subscription.name + tag: rename_subscription_name + target_field: wiz.cloud_configuration_finding.resource.subscription.name + ignore_missing: true + - set: + field: cloud.account.name + tag: set_cloud_account_name + copy_from: wiz.cloud_configuration_finding.resource.subscription.name + ignore_empty_value: true + - rename: + field: json.resource.region + tag: rename_region + target_field: wiz.cloud_configuration_finding.resource.region + ignore_missing: true + - set: + field: cloud.region + tag: set_cloud_region + copy_from: wiz.cloud_configuration_finding.resource.region + ignore_empty_value: true + - rename: + field: json.resource.cloudPlatform + tag: rename_cloud_plarform + target_field: wiz.cloud_configuration_finding.resource.cloud_platform + ignore_missing: true + - lowercase: + field: wiz.cloud_configuration_finding.resource.cloud_platform + target_field: cloud.service.name + tag: set_cloud_service_name_lowercase + ignore_missing: true + - append: + field: event.category + tag: append_event_category + value: configuration + - append: + field: event.type + tag: append_event_type + value: info + - date: + field: json.analyzedAt + target_field: wiz.cloud_configuration_finding.analyzed_at + tag: date_set_analyzedat + formats: + - ISO8601 + if: ctx.json?.analyzedAt != null && ctx.json.analyzedAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created + copy_from: wiz.cloud_configuration_finding.analyzed_at + ignore_empty_value: true + - rename: + field: json.id + tag: rename_id + target_field: wiz.cloud_configuration_finding.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id + copy_from: wiz.cloud_configuration_finding.id + ignore_empty_value: true + - set: + field: event.kind + value: state + tag: set_event_kind + - rename: + field: json.rule.description + tag: rename_rule_description + target_field: wiz.cloud_configuration_finding.rule.description + ignore_missing: true + - set: + field: message + tag: set_message + copy_from: wiz.cloud_configuration_finding.rule.description + ignore_empty_value: true + - set: + field: rule.description + tag: set_rule_description + copy_from: wiz.cloud_configuration_finding.rule.description + ignore_empty_value: true + - date: + field: json.analyzedAt + tag: date_set_timestamp + formats: + - ISO8601 + if: ctx.json?.analyzedAt != null && ctx.json.analyzedAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.rule.id + tag: rename_rule_id + target_field: wiz.cloud_configuration_finding.rule.id + ignore_missing: true + - set: + field: rule.uuid + tag: set_rule_uuid + copy_from: wiz.cloud_configuration_finding.rule.id + ignore_empty_value: true + - rename: + field: json.rule.shortId + tag: rename_rule_short_id + target_field: wiz.cloud_configuration_finding.rule.short_id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id + copy_from: wiz.cloud_configuration_finding.rule.short_id + ignore_empty_value: true + - rename: + field: json.rule.name + tag: rename_rule_name + target_field: wiz.cloud_configuration_finding.rule.name + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name + copy_from: wiz.cloud_configuration_finding.rule.name + ignore_empty_value: true + - rename: + field: json.rule.remediationInstructions + tag: rename_rule_remediation_instructions + target_field: wiz.cloud_configuration_finding.rule.remediation_instructions + ignore_missing: true + - set: + field: rule.remediation + tag: set_rule_remediation + copy_from: wiz.cloud_configuration_finding.rule.remediation_instructions + ignore_empty_value: true + - rename: + field: json.resource.id + tag: rename_resource_id + target_field: wiz.cloud_configuration_finding.resource.id + ignore_missing: true + - rename: + field: json.resource.providerId + tag: rename_resource_providerId + target_field: wiz.cloud_configuration_finding.resource.provider_id + ignore_missing: true + - set: + field: resource.id + tag: set_resource_id + copy_from: wiz.cloud_configuration_finding.resource.provider_id + ignore_empty_value: true + - rename: + field: json.resource.name + tag: rename_resource_name + target_field: wiz.cloud_configuration_finding.resource.name + ignore_missing: true + - set: + field: resource.name + tag: set_resource_name + copy_from: wiz.cloud_configuration_finding.resource.name + ignore_empty_value: true + - rename: + field: json.resource.type + tag: rename_resource_type + target_field: wiz.cloud_configuration_finding.resource.type + ignore_missing: true + - set: + field: resource.type + tag: set_resource_type + copy_from: wiz.cloud_configuration_finding.resource.type + ignore_empty_value: true + - rename: + field: json.resource.nativeType + tag: rename_resource_nativeType + target_field: wiz.cloud_configuration_finding.resource.native_type + ignore_missing: true + - set: + field: resource.sub_type + tag: set_resource_sub_type + copy_from: wiz.cloud_configuration_finding.resource.native_type + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_if_user_account + copy_from: wiz.cloud_configuration_finding.resource.name + if: ctx?.resource?.type == 'USER_ACCOUNT' + ignore_empty_value: true + - set: + field: user.id + tag: set_user_id_if_user_account + copy_from: wiz.cloud_configuration_finding.resource.provider_id + if: ctx.resource?.type == 'USER_ACCOUNT' + ignore_empty_value: true + - lowercase: + field: wiz.cloud_configuration_finding.resource.name + target_field: host.name + tag: set_host_name_lowercase_if_vm + if: ctx?.resource?.type == 'VIRTUAL_MACHINE' + ignore_missing: true + - rename: + field: json.result + tag: rename_result + target_field: wiz.cloud_configuration_finding.result + ignore_missing: true + - set: + field: result.evaluation + tag: set_result_evaluation_passed + value: 'PASSED' + if: ctx?.wiz?.cloud_configuration_finding?.result == 'PASS' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_failed + value: 'FAILED' + if: ctx?.wiz?.cloud_configuration_finding?.result == 'FAIL' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_unknown + value: 'UNKNOWN' + if: ctx?.wiz?.cloud_configuration_finding?.result != 'PASS' && ctx?.wiz?.cloud_configuration_finding?.result != 'FAIL' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_success + value: 'success' + if: ctx?.wiz?.cloud_configuration_finding?.result == 'PASS' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_failure + value: 'failure' + if: ctx?.wiz?.cloud_configuration_finding?.result == 'FAIL' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: 'unknown' + if: ctx?.wiz?.cloud_configuration_finding?.result != 'PASS' && ctx?.wiz?.cloud_configuration_finding?.result != 'FAIL' + ignore_empty_value: true + - rename: + field: json.evidence.currentValue + tag: rename_evidence_current_value + target_field: wiz.cloud_configuration_finding.evidence.current_value + ignore_missing: true + - set: + field: result.evidence.current_value + tag: set_result_evidence_current_value + copy_from: wiz.cloud_configuration_finding.evidence.current_value + ignore_empty_value: true + - rename: + field: json.evidence.expectedValue + tag: rename_evidence_expected_value + target_field: wiz.cloud_configuration_finding.evidence.expected_value + ignore_missing: true + - set: + field: result.evidence.expected_value + tag: set_result_evidence_expected_value + copy_from: wiz.cloud_configuration_finding.evidence.expected_value + ignore_empty_value: true + - rename: + field: json.evidence.configurationPath + tag: rename_evidence_configuration_path + target_field: wiz.cloud_configuration_finding.evidence.configuration_path + ignore_missing: true + - set: + field: result.evidence.configuration_path + tag: set_result_evidence_configuration_path + copy_from: wiz.cloud_configuration_finding.evidence.configuration_path + ignore_empty_value: true + - rename: + field: json.evidence.cloudConfigurationLink + tag: rename_evidence_cloud_configuration_link + target_field: wiz.cloud_configuration_finding.evidence.cloud_configuration_link + ignore_missing: true + - set: + field: result.evidence.cloud_configuration_link + tag: set_result_evidence_cloud_configuration_link + copy_from: wiz.cloud_configuration_finding.evidence.cloud_configuration_link + ignore_empty_value: true + - set: + field: rule.reference + tag: set_rule_reference + copy_from: wiz.cloud_configuration_finding.evidence.cloud_configuration_link + ignore_empty_value: true + - set: + field: rule.references + tag: set_rule_references + copy_from: wiz.cloud_configuration_finding.evidence.cloud_configuration_link + ignore_empty_value: true + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: + - wiz.cloud_configuration_finding.analyzed_at + - wiz.cloud_configuration_finding.resource.subscription.cloud_provider + - wiz.cloud_configuration_finding.resource.subscription.external_id + - wiz.cloud_configuration_finding.resource.subscription.name + - wiz.cloud_configuration_finding.resource.region + - wiz.cloud_configuration_finding.resource.name + - wiz.cloud_configuration_finding.resource.type + - wiz.cloud_configuration_finding.resource.sub_type + - wiz.cloud_configuration_finding.resource.provider_id + - wiz.cloud_configuration_finding.id + - wiz.cloud_configuration_finding.rule.description + - wiz.cloud_configuration_finding.rule.name + - wiz.cloud_configuration_finding.rule.id + - wiz.cloud_configuration_finding.rule.short_id + - wiz.cloud_configuration_finding.rule.remediation_instructions + - wiz.cloud_configuration_finding.evidence.expected_value + - wiz.cloud_configuration_finding.evidence.current_value + - wiz.cloud_configuration_finding.evidence.configuration_path + - wiz.cloud_configuration_finding.evidence.cloud_configuration_link + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - script: + description: Drops null/empty values recursively. + tag: script_to_drop_null_values + lang: painless + source: | + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml new file mode 100644 index 00000000000..92b378a4c0f --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: wiz +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: wiz.cloud_configuration_finding +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml new file mode 100644 index 00000000000..b3701b581cf --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml new file mode 100644 index 00000000000..eea63ef4778 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml @@ -0,0 +1,59 @@ +- name: wiz.cloud_configuration_finding + type: group + fields: + - name: analyzed_at + type: date + - name: resource + type: group + fields: + - name: id + type: keyword + - name: provider_id + type: keyword + - name: name + type: keyword + - name: region + type: keyword + - name: type + type: keyword + - name: native_type + type: keyword + - name: cloud_platform + type: keyword + - name: subscription + type: group + fields: + - name: cloud_provider + type: keyword + - name: external_id + type: keyword + - name: name + type: keyword + - name: id + type: keyword + - name: result + type: keyword + - name: evidence + type: group + fields: + - name: current_value + type: text + - name: expected_value + type: text + - name: configuration_path + type: text + - name: cloud_configuration_link + type: text + - name: rule + type: group + fields: + - name: id + type: keyword + - name: short_id + type: keyword + - name: name + type: keyword + - name: description + type: text + - name: remediation_instructions + type: text diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/resource.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/resource.yml new file mode 100644 index 00000000000..c093c299032 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/resource.yml @@ -0,0 +1,11 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: sub_type + type: keyword diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/result.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/result.yml new file mode 100644 index 00000000000..c465d18bc64 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/result.yml @@ -0,0 +1,16 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword + - name: evidence + type: group + fields: + - name: current_value + type: text + - name: expected_value + type: text + - name: configuration_path + type: text + - name: cloud_configuration_link + type: text diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml new file mode 100644 index 00000000000..b9d505b971f --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml @@ -0,0 +1,17 @@ +- name: rule + type: group + fields: + - name: uuid + type: keyword + - name: id + type: keyword + - name: name + type: keyword + - name: description + type: text + - name: remediation + type: text + - name: references + type: text + - name: reference + type: text diff --git a/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml b/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml new file mode 100644 index 00000000000..8c52e76db10 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml @@ -0,0 +1,81 @@ +title: Collet Cloud Configuration Finding logs from Wiz. +type: logs +streams: + - input: cel + title: Cloud Configuration Finding logs + enabled: false + description: Collect Cloud Configuration Finding logs from Wiz. + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Cloud Configuration Finding logs from Wiz. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Wiz API. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Wiz API. The maximum supported batch size value is 500. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - wiz-cloud_configuration_finding + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve wiz.cloud_configuration_finding fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json new file mode 100644 index 00000000000..3ae1ac272cb --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json @@ -0,0 +1,76 @@ +{ + "@timestamp": "2023-06-12T11:38:07.900Z", + "cloud": { + "account": { + "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "kind": "state", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "sub_type": "Pod", + "type": "POD" + }, + "result": { + "evaluation": "FAILED" + }, + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "Pod-32", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "resource": { + "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "native_type": "Pod", + "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "subscription": { + "cloud_provider": "Azure", + "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "type": "POD" + }, + "result": "FAIL", + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "73553de7-f2ad-4ffb-b425-c69815033530", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "short_id": "Pod-32" + } + } + } +} \ No newline at end of file diff --git a/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json index 573daea31d4..0df064c5069 100644 --- a/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json +++ b/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -28,20 +28,39 @@ } }, "message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "observer": { + "vendor": "Wiz" + }, + "package": { + "fixed_version": "4.0.3-35.amzn2.0.1", + "version": "4.0.3-35.amzn2" + }, "related": { "ip": [ "89.160.20.112", "89.160.20.128" ] }, + "resource": { + "id": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3", + "name": "test-4" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" ], "vulnerability": { + "cwe": "CVE-2020-3333", "description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.", "id": "CVE-2020-3333", + "package": { + "fixed_version": "4.0.3-35.amzn2.0.1", + "version": "4.0.3-35.amzn2" + }, "reference": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html", + "score": { + "base": 5.5 + }, "severity": "MEDIUM" }, "wiz": { diff --git a/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index 4f2153d9ed8..e0e441ed4d1 100644 --- a/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -563,6 +563,49 @@ processors: tag: set_pipeline_error_to_event_kind value: pipeline_error if: ctx.error?.message != null + - set: + field: vulnerability.package.fixed_version + tag: set_vulnerability_package_fixed_version + copy_from: wiz.vulnerability.fixed_version + ignore_empty_value: true + - set: + field: package.fixed_version + tag: set_package_fixed_version + copy_from: wiz.vulnerability.fixed_version + ignore_empty_value: true + - set: + field: vulnerability.package.version + tag: set_vulnerability_package_version + copy_from: wiz.vulnerability.version + ignore_empty_value: true + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base + copy_from: wiz.vulnerability.score + - set: + field: resource.id + tag: set_resource_id + copy_from: wiz.vulnerability.vulnerable_asset.provider_unique_id + ignore_empty_value: true + - set: + field: resource.name + tag: set_resource_name + copy_from: wiz.vulnerability.vulnerable_asset.name + ignore_empty_value: true + - set: + field: package.version + tag: set_package_version + copy_from: wiz.vulnerability.version + ignore_empty_value: true + - set: + field: vulnerability.cwe + tag: set_vulnerability_cwe + copy_from: vulnerability.id + ignore_empty_value: true + - set: + field: observer.vendor + tag: set_observer_vendor + value: 'Wiz' on_failure: - append: field: error.message diff --git a/packages/wiz/data_stream/vulnerability/fields/fields.yml b/packages/wiz/data_stream/vulnerability/fields/fields.yml index efc2c254043..2781632869a 100644 --- a/packages/wiz/data_stream/vulnerability/fields/fields.yml +++ b/packages/wiz/data_stream/vulnerability/fields/fields.yml @@ -154,3 +154,27 @@ type: keyword - name: type type: keyword +- name: vulnerability + type: group + fields: + - name: cwe + type: keyword + - name: package + type: group + fields: + - name: version + type: keyword + - name: fixed_version + type: keyword +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword +- name: package + type: group + fields: + - name: fixed_version + type: keyword diff --git a/packages/wiz/data_stream/vulnerability/sample_event.json b/packages/wiz/data_stream/vulnerability/sample_event.json index 30c01c70b3b..bbb99552cd0 100644 --- a/packages/wiz/data_stream/vulnerability/sample_event.json +++ b/packages/wiz/data_stream/vulnerability/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-08-16T18:40:57.000Z", "agent": { - "ephemeral_id": "bd7b9b1e-3c24-48fb-ad27-fc8578793608", - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", + "ephemeral_id": "5c846d63-065b-40a3-8cce-c3e8f1276807", + "id": "8296d384-1353-4d79-be72-f8a106bdc5d2", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "cloud": { "provider": "AWS", @@ -13,7 +13,7 @@ }, "data_stream": { "dataset": "wiz.vulnerability", - "namespace": "ep", + "namespace": "15860", "type": "logs" }, "device": { @@ -23,9 +23,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", + "id": "8296d384-1353-4d79-be72-f8a106bdc5d2", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -33,7 +33,7 @@ "vulnerability" ], "dataset": "wiz.vulnerability", - "ingested": "2023-10-03T10:23:54Z", + "ingested": "2024-08-27T12:03:01Z", "kind": "alert", "original": "{\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"dataSourceName\":\"data Source\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"detailedName\":\"libtiff\",\"detectionMethod\":\"PACKAGE\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"epssSeverity\":\"LOW\",\"exploitabilityScore\":1.8,\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"hasCisaKevExploit\":false,\"hasExploit\":false,\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"impactScore\":3.6,\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"layerMetadata\":{\"details\":\"xxxx\",\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"isBaseLayer\":true},\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"name\":\"CVE-2020-3333\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"remediation\":\"yumupdatelibtiff\",\"resolutionReason\":\"resolutionReason\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"score\":5.5,\"status\":\"OPEN\",\"validatedInRuntime\":true,\"vendorSeverity\":\"MEDIUM\",\"version\":\"4.0.3-35.amzn2\",\"vulnerableAsset\":{\"cloudPlatform\":\"AWS\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"],\"isAccessibleFromOtherSubscriptions\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromVPN\":false,\"name\":\"test-4\",\"operatingSystem\":\"Linux\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"region\":\"us-east-1\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"subscriptionName\":\"wiz-integrations\",\"tags\":{\"Name\":\"test-4\"},\"type\":\"VIRTUAL_MACHINE\"}}", "type": [ @@ -48,13 +48,24 @@ "input": { "type": "cel" }, - "message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\u003c4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "observer": { + "vendor": "Wiz" + }, + "package": { + "fixed_version": "4.0.3-35.amzn2.0.1", + "version": "4.0.3-35.amzn2" + }, "related": { "ip": [ "89.160.20.112", "89.160.20.128" ] }, + "resource": { + "id": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3", + "name": "test-4" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields", @@ -62,9 +73,17 @@ "wiz-vulnerability" ], "vulnerability": { + "cwe": "CVE-2020-3333", "description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.", "id": "CVE-2020-3333", + "package": { + "fixed_version": "4.0.3-35.amzn2.0.1", + "version": "4.0.3-35.amzn2" + }, "reference": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html", + "score": { + "base": 5.5 + }, "severity": "MEDIUM" }, "wiz": { @@ -72,7 +91,7 @@ "cve_description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.", "cvss_severity": "MEDIUM", "data_source_name": "data Source", - "description": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\u003c4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "description": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", "detailed_name": "libtiff", "detection_method": "PACKAGE", "epss": { diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 97da5fcd7eb..98aa9c7a55d 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -1,6 +1,6 @@ # Wiz -Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security, including issues, vulnerability data and audit events, providing you with visibility and context for your cloud environments within Elastic Security. +Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security, including issues, vulnerability data, cloud configuration findings and audit events, providing you with visibility and context for your cloud environments within Elastic Security. ## Data streams @@ -48,6 +48,7 @@ This module has been tested against the **Wiz API Version v1**. | Audit | admin:audit | | Issue | read:issues | | Vulnerability | read:vulnerabilities | + | Cloud Configuration Finding | read:cloud_configuration | ### To obtain the Wiz URL 1. Navigate to your user profile and copy the API Endpoint URL. @@ -212,6 +213,146 @@ An example event for `audit` looks as following: | wiz.audit.user_agent | | keyword | +### Cloud Configuration Finding + +This is the `Cloud Configuration Finding` dataset. + +#### Example + +An example event for `cloud_configuration_finding` looks as following: + +```json +{ + "@timestamp": "2023-06-12T11:38:07.900Z", + "cloud": { + "account": { + "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "kind": "state", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "sub_type": "Pod", + "type": "POD" + }, + "result": { + "evaluation": "FAILED" + }, + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "Pod-32", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "resource": { + "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "native_type": "Pod", + "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "subscription": { + "cloud_provider": "Azure", + "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "type": "POD" + }, + "result": "FAIL", + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "73553de7-f2ad-4ffb-b425-c69815033530", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "short_id": "Pod-32" + } + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| resource.id | | keyword | +| resource.name | | keyword | +| resource.sub_type | | keyword | +| resource.type | | keyword | +| result.evaluation | | keyword | +| result.evidence.cloud_configuration_link | | text | +| result.evidence.configuration_path | | text | +| result.evidence.current_value | | text | +| result.evidence.expected_value | | text | +| rule.description | | text | +| rule.id | | keyword | +| rule.name | | keyword | +| rule.reference | | text | +| rule.references | | text | +| rule.remediation | | text | +| rule.uuid | | keyword | +| tags | User defined tags. | keyword | +| wiz.cloud_configuration_finding.analyzed_at | | date | +| wiz.cloud_configuration_finding.evidence.cloud_configuration_link | | text | +| wiz.cloud_configuration_finding.evidence.configuration_path | | text | +| wiz.cloud_configuration_finding.evidence.current_value | | text | +| wiz.cloud_configuration_finding.evidence.expected_value | | text | +| wiz.cloud_configuration_finding.id | | keyword | +| wiz.cloud_configuration_finding.resource.cloud_platform | | keyword | +| wiz.cloud_configuration_finding.resource.id | | keyword | +| wiz.cloud_configuration_finding.resource.name | | keyword | +| wiz.cloud_configuration_finding.resource.native_type | | keyword | +| wiz.cloud_configuration_finding.resource.provider_id | | keyword | +| wiz.cloud_configuration_finding.resource.region | | keyword | +| wiz.cloud_configuration_finding.resource.subscription.cloud_provider | | keyword | +| wiz.cloud_configuration_finding.resource.subscription.external_id | | keyword | +| wiz.cloud_configuration_finding.resource.subscription.name | | keyword | +| wiz.cloud_configuration_finding.resource.type | | keyword | +| wiz.cloud_configuration_finding.result | | keyword | +| wiz.cloud_configuration_finding.rule.description | | text | +| wiz.cloud_configuration_finding.rule.id | | keyword | +| wiz.cloud_configuration_finding.rule.name | | keyword | +| wiz.cloud_configuration_finding.rule.remediation_instructions | | text | +| wiz.cloud_configuration_finding.rule.short_id | | keyword | + + ### Issue This is the `Issue` dataset. @@ -489,11 +630,11 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2023-08-16T18:40:57.000Z", "agent": { - "ephemeral_id": "bd7b9b1e-3c24-48fb-ad27-fc8578793608", - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", + "ephemeral_id": "5c846d63-065b-40a3-8cce-c3e8f1276807", + "id": "8296d384-1353-4d79-be72-f8a106bdc5d2", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "cloud": { "provider": "AWS", @@ -501,7 +642,7 @@ An example event for `vulnerability` looks as following: }, "data_stream": { "dataset": "wiz.vulnerability", - "namespace": "ep", + "namespace": "15860", "type": "logs" }, "device": { @@ -511,9 +652,9 @@ An example event for `vulnerability` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", + "id": "8296d384-1353-4d79-be72-f8a106bdc5d2", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -521,7 +662,7 @@ An example event for `vulnerability` looks as following: "vulnerability" ], "dataset": "wiz.vulnerability", - "ingested": "2023-10-03T10:23:54Z", + "ingested": "2024-08-27T12:03:01Z", "kind": "alert", "original": "{\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"dataSourceName\":\"data Source\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"detailedName\":\"libtiff\",\"detectionMethod\":\"PACKAGE\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"epssSeverity\":\"LOW\",\"exploitabilityScore\":1.8,\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"hasCisaKevExploit\":false,\"hasExploit\":false,\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"impactScore\":3.6,\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"layerMetadata\":{\"details\":\"xxxx\",\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"isBaseLayer\":true},\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"name\":\"CVE-2020-3333\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"remediation\":\"yumupdatelibtiff\",\"resolutionReason\":\"resolutionReason\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"score\":5.5,\"status\":\"OPEN\",\"validatedInRuntime\":true,\"vendorSeverity\":\"MEDIUM\",\"version\":\"4.0.3-35.amzn2\",\"vulnerableAsset\":{\"cloudPlatform\":\"AWS\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"],\"isAccessibleFromOtherSubscriptions\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromVPN\":false,\"name\":\"test-4\",\"operatingSystem\":\"Linux\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"region\":\"us-east-1\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"subscriptionName\":\"wiz-integrations\",\"tags\":{\"Name\":\"test-4\"},\"type\":\"VIRTUAL_MACHINE\"}}", "type": [ @@ -536,13 +677,24 @@ An example event for `vulnerability` looks as following: "input": { "type": "cel" }, - "message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\u003c4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "observer": { + "vendor": "Wiz" + }, + "package": { + "fixed_version": "4.0.3-35.amzn2.0.1", + "version": "4.0.3-35.amzn2" + }, "related": { "ip": [ "89.160.20.112", "89.160.20.128" ] }, + "resource": { + "id": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3", + "name": "test-4" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields", @@ -550,9 +702,17 @@ An example event for `vulnerability` looks as following: "wiz-vulnerability" ], "vulnerability": { + "cwe": "CVE-2020-3333", "description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.", "id": "CVE-2020-3333", + "package": { + "fixed_version": "4.0.3-35.amzn2.0.1", + "version": "4.0.3-35.amzn2" + }, "reference": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html", + "score": { + "base": 5.5 + }, "severity": "MEDIUM" }, "wiz": { @@ -560,7 +720,7 @@ An example event for `vulnerability` looks as following: "cve_description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.", "cvss_severity": "MEDIUM", "data_source_name": "data Source", - "description": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\u003c4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "description": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", "detailed_name": "libtiff", "detection_method": "PACKAGE", "epss": { @@ -676,6 +836,12 @@ An example event for `vulnerability` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | +| package.fixed_version | | keyword | +| resource.id | | keyword | +| resource.name | | keyword | +| vulnerability.cwe | | keyword | +| vulnerability.package.fixed_version | | keyword | +| vulnerability.package.version | | keyword | | wiz.vulnerability.cve_description | | keyword | | wiz.vulnerability.cvss_severity | | keyword | | wiz.vulnerability.data_source_name | | keyword | diff --git a/packages/wiz/img/wiz-cloud_configuration_finding-dashboard.png b/packages/wiz/img/wiz-cloud_configuration_finding-dashboard.png new file mode 100644 index 00000000000..ca117fe6063 Binary files /dev/null and b/packages/wiz/img/wiz-cloud_configuration_finding-dashboard.png differ diff --git a/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json b/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json new file mode 100644 index 00000000000..3d93a40f417 --- /dev/null +++ b/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json @@ -0,0 +1,907 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Navigation\n\n[Wiz Cloud Configuration Finding (This page)](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\nOverview\n\nThis dashboard shows the Cloud Configuration Findings overview related to the Wiz Integration.\n\nThis dashboard provides general statistics and shows the detection of ingested cloud configuration findings.\n\nIt provides information about findings and assets. It also displays the distribution of findings according to evaluation results and contains details regarding the count of findings over time.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 23, + "i": "94a743d5-faba-431e-b382-1fc7315b7e3e", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "94a743d5-faba-431e-b382-1fc7315b7e3e", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8ff07557-c729-44e8-a680-dde18deb6b15", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d5578bce-ec1a-4e71-b7b2-8dd69b024ffa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "993be04b-915b-4bb0-a147-1528ac280e99", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8ff07557-c729-44e8-a680-dde18deb6b15": { + "columnOrder": [ + "d5d2b36c-383e-42d2-a349-32e4d0fb2a9d", + "03bb962b-f00f-4b62-8fcd-2bf2d4c09c84", + "e58922b5-6f6c-4962-994e-065d3a3dfefc" + ], + "columns": { + "03bb962b-f00f-4b62-8fcd-2bf2d4c09c84": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e58922b5-6f6c-4962-994e-065d3a3dfefc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + }, + "d5d2b36c-383e-42d2-a349-32e4d0fb2a9d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e58922b5-6f6c-4962-994e-065d3a3dfefc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.id" + }, + "e58922b5-6f6c-4962-994e-065d3a3dfefc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d5578bce-ec1a-4e71-b7b2-8dd69b024ffa", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.cloud_configuration_finding" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.cloud_configuration_finding" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "result.evaluation", + "index": "993be04b-915b-4bb0-a147-1528ac280e99", + "key": "result.evaluation", + "negate": false, + "params": { + "query": "FAILED" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "result.evaluation": "FAILED" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d5d2b36c-383e-42d2-a349-32e4d0fb2a9d", + "isTransposed": false + }, + { + "columnId": "03bb962b-f00f-4b62-8fcd-2bf2d4c09c84", + "isTransposed": false, + "width": 407.75 + }, + { + "columnId": "e58922b5-6f6c-4962-994e-065d3a3dfefc", + "isTransposed": false + } + ], + "layerId": "8ff07557-c729-44e8-a680-dde18deb6b15", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "044ff952-a6d8-4fc2-a49f-8013448a5b2d", + "w": 34, + "x": 14, + "y": 0 + }, + "panelIndex": "044ff952-a6d8-4fc2-a49f-8013448a5b2d", + "title": "Top 10 Cloud Configuration Findings [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0d257928-266c-4ccd-8810-bf6605fc84aa", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "0d257928-266c-4ccd-8810-bf6605fc84aa": { + "columnOrder": [ + "1ef3121f-8913-43b1-8e27-fee4a9634085", + "c8d1ce7a-94a8-4c18-aa1e-73750fb11057", + "4647b17f-6e03-4e46-bfc4-32cd50852d2e", + "771f27cd-7061-4c0c-8961-a45321ba1bb5" + ], + "columns": { + "1ef3121f-8913-43b1-8e27-fee4a9634085": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Resource ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "771f27cd-7061-4c0c-8961-a45321ba1bb5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "resource.id" + }, + "4647b17f-6e03-4e46-bfc4-32cd50852d2e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Resource Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "771f27cd-7061-4c0c-8961-a45321ba1bb5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "resource.sub_type" + }, + "771f27cd-7061-4c0c-8961-a45321ba1bb5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c8d1ce7a-94a8-4c18-aa1e-73750fb11057": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Resource Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "771f27cd-7061-4c0c-8961-a45321ba1bb5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "resource.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "29515003-dffb-45b7-b127-e0cbcaa5ef40", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.cloud_configuration_finding" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.cloud_configuration_finding" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "result.evaluation", + "index": "a2545123-be3e-4cdd-bdea-be45d26270cc", + "key": "result.evaluation", + "negate": false, + "params": { + "query": "FAILED" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "result.evaluation": "FAILED" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "1ef3121f-8913-43b1-8e27-fee4a9634085", + "isTransposed": false + }, + { + "columnId": "c8d1ce7a-94a8-4c18-aa1e-73750fb11057", + "isTransposed": false + }, + { + "columnId": "771f27cd-7061-4c0c-8961-a45321ba1bb5", + "isTransposed": false + }, + { + "columnId": "4647b17f-6e03-4e46-bfc4-32cd50852d2e", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "0d257928-266c-4ccd-8810-bf6605fc84aa", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 11, + "i": "42f119fc-4f83-48fa-964d-2ba1255bdd3b", + "w": 34, + "x": 14, + "y": 12 + }, + "panelIndex": "42f119fc-4f83-48fa-964d-2ba1255bdd3b", + "title": "Top 10 resources with Cloud Configuration Findings [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b4711c80-3ee1-4b9c-bb16-1bd36f38ee4a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "157110fc-0ae9-411f-ab5b-3c0a0e5a4951", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b88673ee-a440-499f-a1e3-f1677aece4a2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b4711c80-3ee1-4b9c-bb16-1bd36f38ee4a": { + "columnOrder": [ + "9f796f7c-2b91-4c20-97a2-9b0e6e3a9c62", + "480eceb0-2157-4a5e-a38c-257f35ef7e3d", + "90be0c4f-6e2a-4156-b839-d03501ad7d69" + ], + "columns": { + "480eceb0-2157-4a5e-a38c-257f35ef7e3d": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "90be0c4f-6e2a-4156-b839-d03501ad7d69": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "9f796f7c-2b91-4c20-97a2-9b0e6e3a9c62": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 Failed rules", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "90be0c4f-6e2a-4156-b839-d03501ad7d69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "157110fc-0ae9-411f-ab5b-3c0a0e5a4951", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.cloud_configuration_finding" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.cloud_configuration_finding" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "result.evaluation", + "index": "b88673ee-a440-499f-a1e3-f1677aece4a2", + "key": "result.evaluation", + "negate": false, + "params": { + "query": "FAILED" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "result.evaluation": "FAILED" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "90be0c4f-6e2a-4156-b839-d03501ad7d69" + ], + "layerId": "b4711c80-3ee1-4b9c-bb16-1bd36f38ee4a", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "9f796f7c-2b91-4c20-97a2-9b0e6e3a9c62", + "xAccessor": "480eceb0-2157-4a5e-a38c-257f35ef7e3d" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "083792d4-85c6-436b-ab41-60c74996826c", + "w": 24, + "x": 24, + "y": 23 + }, + "panelIndex": "083792d4-85c6-436b-ab41-60c74996826c", + "title": "Findings over Time [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-09219279-ad53-4df1-b814-895c09802b98", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9582928b-35f7-49a2-90cd-aab0dc84b52a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "09219279-ad53-4df1-b814-895c09802b98": { + "columnOrder": [ + "b82ad425-99a4-4121-b7bb-40db21bb254e", + "26015d52-9d21-4d9a-b3af-ae34e4e24e29" + ], + "columns": { + "26015d52-9d21-4d9a-b3af-ae34e4e24e29": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Wiz Cloud Configuration Finding ID", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "b82ad425-99a4-4121-b7bb-40db21bb254e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 5 Wiz Cloud Configuration Finding Result Evaluation", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "26015d52-9d21-4d9a-b3af-ae34e4e24e29", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "result.evaluation" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9582928b-35f7-49a2-90cd-aab0dc84b52a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.cloud_configuration_finding" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.cloud_configuration_finding" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "09219279-ad53-4df1-b814-895c09802b98", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "26015d52-9d21-4d9a-b3af-ae34e4e24e29" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "b82ad425-99a4-4121-b7bb-40db21bb254e" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e684aa2c-8963-4cae-a04e-74b00b662a33", + "w": 24, + "x": 0, + "y": 23 + }, + "panelIndex": "e684aa2c-8963-4cae-a04e-74b00b662a33", + "title": "Vulnerability by Status [Logs Wiz]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Wiz] Cloud Configuration Finding", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-23T14:46:23.733Z", + "id": "wiz-726802c0-4007-48b9-bae5-09daa69d4368", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "044ff952-a6d8-4fc2-a49f-8013448a5b2d:indexpattern-datasource-layer-8ff07557-c729-44e8-a680-dde18deb6b15", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "044ff952-a6d8-4fc2-a49f-8013448a5b2d:d5578bce-ec1a-4e71-b7b2-8dd69b024ffa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "044ff952-a6d8-4fc2-a49f-8013448a5b2d:993be04b-915b-4bb0-a147-1528ac280e99", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42f119fc-4f83-48fa-964d-2ba1255bdd3b:indexpattern-datasource-layer-0d257928-266c-4ccd-8810-bf6605fc84aa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "083792d4-85c6-436b-ab41-60c74996826c:indexpattern-datasource-layer-b4711c80-3ee1-4b9c-bb16-1bd36f38ee4a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "083792d4-85c6-436b-ab41-60c74996826c:157110fc-0ae9-411f-ab5b-3c0a0e5a4951", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "083792d4-85c6-436b-ab41-60c74996826c:b88673ee-a440-499f-a1e3-f1677aece4a2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e684aa2c-8963-4cae-a04e-74b00b662a33:indexpattern-datasource-layer-09219279-ad53-4df1-b814-895c09802b98", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e684aa2c-8963-4cae-a04e-74b00b662a33:9582928b-35f7-49a2-90cd-aab0dc84b52a", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index 7112027f6d0..bbdd35b58df 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: wiz title: Wiz -version: "1.5.0" +version: "1.7.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: diff --git a/packages/zscaler_zia/_dev/build/docs/README.md b/packages/zscaler_zia/_dev/build/docs/README.md index 196b043de25..8e2ce7ba447 100644 --- a/packages/zscaler_zia/_dev/build/docs/README.md +++ b/packages/zscaler_zia/_dev/build/docs/README.md @@ -214,14 +214,14 @@ Sample Response: ![Escape feed setup image](../img/escape_feed.png?raw=true) See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-web-logs) -Zscaler Web Log response format (v7): +Zscaler Web Log response format (v9): ``` -\{"sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","refererurl":"%s{ereferer}","refererpath":"%s{erefererpath}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","eurl":"%s{eurl}","urlpath":"%s{eurlpath}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","department":"%s{edepartment}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"version":"v9","sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","b64referer":"%s{b64referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","b64url":"%s{b64url}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","refererpath":"/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com/index","urlpath":"/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","department":"Department%5CrN%40me","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQ6IjQwLWVuLWRpYSIgbGFuZzoiZW4iJmZvcm09UzAwJnE9aG93IHRvIHVzZSByZW1vdGUgZGVza3RvcCB0byBjb25uZWN0IHRvIGEgd2luZG93cyAxMCBwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL3BhcmFtcz9JZD0xJnRzPTIwMDYtMDEtMDJUMTU6MDQ6MDVaMDc6MDAmdXNlcj02NTc5MiZ2ZXJzaW9uPTEwLjAuMTkwNDEuMTI2Ng==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} ``` ### Enabling the integration in Elastic: diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 2eb1c64fba8..b8783670bf3 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "3.2.3" + changes: + - description: Remove department field and add on_failure clauses. + type: bugfix + link: https://github.com/elastic/integrations/pull/10874 +- version: "3.2.2" + changes: + - description: Sanitize unwanted characters in firewall. + type: bugfix + link: https://github.com/elastic/integrations/pull/10858 +- version: "3.2.1" + changes: + - description: In web v8, use b64 fields to avoid encoding issues. + type: bugfix + link: https://github.com/elastic/integrations/pull/10855 - version: "3.2.0" changes: - description: Add hex-encoded fields in web logs. diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json new file mode 100644 index 00000000000..192414df11e --- /dev/null +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json @@ -0,0 +1,7 @@ +{ + "events": [ + { + "message": "{\"sourcetype\":\"zscalernss-fw\",\"event\":{\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"cltdomain\":\"www.example.com\",\"cdip\":\"2a02:cf40::\",\"outbytes\":\"10000\",\"cdport\":\"22\",\"destcountry\":\"USA\",\"devicemodel\":\"20L8S7WC08\",\"sdip\":\"67.43.156.0\",\"duration\":\"600\",\"sdport\":\"443\",\"tz\":\"GMT\",\"action\":\"Blocked\",\"devicehostname\":\"THINKPADSMITH\",\"recordid\":\"123456\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicename\":\"admin\",\"nwsvc\":\"HTTP\",\"deviceostype\":\"iOS\",\"ipsrulelabel\":\"Default IPS Rule\",\"nwapp\":\"Skype\",\"rdr_rulename\":\"FWD_Rule_1\",\"proto\":\"TCP\",\"rulelabel\":\"rule1\",\"dnatrulelabel\":\"DNAT_Rule_1\",\"srcipcountry\":\"United States\",\"rule\":\"Default_Firewall_Filtering_Rule\",\"ssip\":\"1.128.0.0\",\"inbytes\":\"10000\",\"ssport\":\"22\",\"csip\":\"0.0.0.0\",\"aggregate\":\"Yes\",\"csport\":\"25\",\"bypass_time\":\"Mon Oct 16 22:55:48 2023\",\"user\":\"jdoe%40safemarch.com\",\"datacentercountry\":\"US\",\"bypassed_session\":\"1\",\"day\":\"Mon\",\"datacentercity\":\"Sa\",\"department\":\"sales\",\"datacenter\":\"CA Client Node DC\",\"deviceappversion\":\"2.0.0.120\",\"day_of_month\":\"16\",\"avgduration\":\"600\",\"dept\":\"Sales\",\"eedone\":\"Yes\",\"deviceowner\":\"jsmith\",\"external_deviceid\":\"1234\",\"durationms\":\"600\",\"forward_gateway_name\":\"FWD_1\",\"epochtime\":\"1578128400\",\"ipcat\":\"Finance\",\"flow_type\":\"Direct\",\"location\":\"Headquarters\",\"hour\":\"22\",\"login\":\"jdo%40safemarch.com\",\"ips_custom_signature\":\"0\",\"month\":\"Oct\",\"locationname\":\"Headquarters\",\"dnat\":\"Yes\",\"minute\":\"55\",\"odevicename\":\"2175092224\",\"month_of_year\":\"10\",\"ofwd_gw_name\":\"8794487099\",\"ocsip\":\"9960223283\",\"oipcat\":\"CustomCategory-141\u0000known\u0000 \",\"odeviceowner\":\"10831489\",\"odnatlabel\":\"7956407282\",\"odevicehostname\":\"2168890624\",\"orulelabel\":\"624054738\",\"oipsrulelabel\":\"6200694987\",\"second\":\"48\",\"ordr_rulename\":\"3399565100\",\"stateful\":\"Yes\",\"ozpa_app_seg_name\":\"7648246731\",\"threatcat\":\"Botnet Callback\",\"numsessions\":\"5\",\"tsip\":\"89.160.20.128\",\"threat_name\":\"Linux.Backdoor.Tsunami\",\"year\":\"2023\",\"threatname\":\"Linux.Backdoor\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\",\"tuntype\":\"L2 tunnel\",\"ztunnelversion\":\"ZTUNNEL_1_0\"}}" + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json-expected.json new file mode 100644 index 00000000000..e025fa4e048 --- /dev/null +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json-expected.json @@ -0,0 +1,242 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "destination": { + "bytes": 10000, + "domain": "www.example.com", + "geo": { + "country_iso_code": "USA" + }, + "ip": [ + "2a02:cf40::", + "67.43.156.0" + ], + "port": [ + 22, + 443 + ] + }, + "device": { + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "network" + ], + "duration": 600000000, + "id": "123456", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-fw\",\"event\":{\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"cltdomain\":\"www.example.com\",\"cdip\":\"2a02:cf40::\",\"outbytes\":\"10000\",\"cdport\":\"22\",\"destcountry\":\"USA\",\"devicemodel\":\"20L8S7WC08\",\"sdip\":\"67.43.156.0\",\"duration\":\"600\",\"sdport\":\"443\",\"tz\":\"GMT\",\"action\":\"Blocked\",\"devicehostname\":\"THINKPADSMITH\",\"recordid\":\"123456\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicename\":\"admin\",\"nwsvc\":\"HTTP\",\"deviceostype\":\"iOS\",\"ipsrulelabel\":\"Default IPS Rule\",\"nwapp\":\"Skype\",\"rdr_rulename\":\"FWD_Rule_1\",\"proto\":\"TCP\",\"rulelabel\":\"rule1\",\"dnatrulelabel\":\"DNAT_Rule_1\",\"srcipcountry\":\"United States\",\"rule\":\"Default_Firewall_Filtering_Rule\",\"ssip\":\"1.128.0.0\",\"inbytes\":\"10000\",\"ssport\":\"22\",\"csip\":\"0.0.0.0\",\"aggregate\":\"Yes\",\"csport\":\"25\",\"bypass_time\":\"Mon Oct 16 22:55:48 2023\",\"user\":\"jdoe%40safemarch.com\",\"datacentercountry\":\"US\",\"bypassed_session\":\"1\",\"day\":\"Mon\",\"datacentercity\":\"Sa\",\"department\":\"sales\",\"datacenter\":\"CA Client Node DC\",\"deviceappversion\":\"2.0.0.120\",\"day_of_month\":\"16\",\"avgduration\":\"600\",\"dept\":\"Sales\",\"eedone\":\"Yes\",\"deviceowner\":\"jsmith\",\"external_deviceid\":\"1234\",\"durationms\":\"600\",\"forward_gateway_name\":\"FWD_1\",\"epochtime\":\"1578128400\",\"ipcat\":\"Finance\",\"flow_type\":\"Direct\",\"location\":\"Headquarters\",\"hour\":\"22\",\"login\":\"jdo%40safemarch.com\",\"ips_custom_signature\":\"0\",\"month\":\"Oct\",\"locationname\":\"Headquarters\",\"dnat\":\"Yes\",\"minute\":\"55\",\"odevicename\":\"2175092224\",\"month_of_year\":\"10\",\"ofwd_gw_name\":\"8794487099\",\"ocsip\":\"9960223283\",\"oipcat\":\"CustomCategory-141known \",\"odeviceowner\":\"10831489\",\"odnatlabel\":\"7956407282\",\"odevicehostname\":\"2168890624\",\"orulelabel\":\"624054738\",\"oipsrulelabel\":\"6200694987\",\"second\":\"48\",\"ordr_rulename\":\"3399565100\",\"stateful\":\"Yes\",\"ozpa_app_seg_name\":\"7648246731\",\"threatcat\":\"Botnet Callback\",\"numsessions\":\"5\",\"tsip\":\"89.160.20.128\",\"threat_name\":\"Linux.Backdoor.Tsunami\",\"year\":\"2023\",\"threatname\":\"Linux.Backdoor\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\",\"tuntype\":\"L2 tunnel\",\"ztunnelversion\":\"ZTUNNEL_1_0\"}}", + "timezone": "GMT", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + } + }, + "network": { + "application": "skype", + "bytes": 20000, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "ZIA", + "type": "firewall", + "vendor": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "2a02:cf40::", + "67.43.156.0", + "0.0.0.0", + "1.128.0.0", + "89.160.20.128" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "Default IPS Rule", + "DNAT_Rule_1", + "FWD_Rule_1", + "Default_Firewall_Filtering_Rule", + "rule1" + ] + }, + "source": { + "bytes": 10000, + "geo": { + "country_name": "United States" + }, + "ip": [ + "0.0.0.0", + "1.128.0.0" + ], + "port": [ + 25, + 22 + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "zscaler_zia": { + "firewall": { + "action": "Blocked", + "aggregate": "Yes", + "bypassed": { + "session": "1", + "time": "2023-10-16T22:55:48.000Z" + }, + "bytes_in": 10000, + "client": { + "destination": { + "ip": "2a02:cf40::", + "port": 22 + }, + "domain": "www.example.com", + "source": { + "ip": "0.0.0.0", + "port": 25 + } + }, + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "sales", + "dept": "Sales", + "destination": { + "country": "USA" + }, + "device": { + "appversion": "2.0.0.120", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "admin", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith" + }, + "duration": { + "average_duration": 600, + "milliseconds": 600, + "seconds": 600 + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external_device_id": "1234", + "flow_type": "Direct", + "forward_gateway_name": "FWD_1", + "hour": 22, + "ip_category": "Finance", + "ip_protocol": "TCP", + "ips": { + "custom_signature": "0", + "rule_label": "Default IPS Rule" + }, + "location": "Headquarters", + "location_name": "Headquarters", + "login": "jdo@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "nat": "Yes", + "nat_rule_label": "DNAT_Rule_1", + "network": { + "application": "Skype", + "service": "HTTP" + }, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "forward_gateway_name": "8794487099", + "host_name": "2168890624", + "ip": { + "category": "CustomCategory-141known " + }, + "ips_rule_label": "6200694987", + "nat_label": "7956407282", + "redirect_policy_name": "3399565100", + "rule_label": "624054738", + "zpa_app_segment": "7648246731" + }, + "out_bytes": 10000, + "record": { + "id": "123456" + }, + "redirect_policy_name": "FWD_Rule_1", + "rule": "Default_Firewall_Filtering_Rule", + "rule_label": "rule1", + "second": 48, + "server": { + "destination": { + "ip": "67.43.156.0", + "port": 443 + }, + "source": { + "ip": "1.128.0.0", + "port": 22 + } + }, + "session": { + "count": 5 + }, + "source_ip_country": "United States", + "stateful": "Yes", + "threat": { + "category": "Botnet Callback", + "name": "Linux.Backdoor" + }, + "threat_name": "Linux.Backdoor.Tsunami", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "tunnel": { + "ip": "89.160.20.128", + "type": "L2 tunnel" + }, + "user": "jdoe@safemarch.com", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index a97998c0d36..fd4d1efacff 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -18,6 +18,12 @@ processors: ignore_missing: true description: The `message` field is no longer required if the document has an `event.original` field. if: ctx.event?.original != null + - gsub: + field: event.original + tag: gsub_replace_null_unicode + pattern: "[\u0000]" + replacement: "" + if: ctx.event?.original != null - json: field: event.original tag: json_event_original diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log index aeac0d96f76..c40d5717740 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log @@ -1,2 +1,2 @@ -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","refererurl":"www.example.com","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com%2Findex","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","refererurl":"www.example.com","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com%2Findex","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json index d65fa098a97..a4fb864cebe 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json @@ -37,7 +37,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com%2Findex\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -461,7 +461,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com%2Findex\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log index 9261975fd9e..877e9728c6c 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log @@ -1,5 +1,7 @@ -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23%3A20%3A50.52Z","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.example.com%3A443","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.example.com.com/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.youtube.com/api/stats/abcd?afmt=251&bat=330.017%3A0.96%3A1&bh=330.017%3A121.264&bwe=330.017%3A7458601&bwm=330.017%3A2407754%3A0.844&c=WEB&cbr=Edge+Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017%3A328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1%2C23848225%2C137802%2C18617%2C204121%2C230596%2C222097%2C16229%2C133212%2C14625955%2C11684381%2C7222%2C14207%2C9859%2C12177%2C9954%2C1192%2C7913%2C18310%2C273%2C4147%2C2819%2C2%2C16344%2C1424%2C19204%2C9948%2C2196%2C9996%2C19%2C2%2C1082%2C6953%2C101%2C1401%2C9542%2C2471%2C3292%2C2716%2C1538%2C723%2C2575%2C9567%2C1375%2C3761%2C4162%2C8610%2C173%2C201%2C10406%2C321%2C148%2C2%2C343%2C1783%2C14%2C1322%2C50%2C621%2C702%2C1062%2C1769%2C1823%2C896%2C2291%2C2912%2C7568%2C342&fmt=398&ns=yt&referrer=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Disa90_67as&sdetail=rv%3Aisa89_68ad&seq=13&sourceid=yw&vps=330.017%3APL","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","refererpath":"/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.example.com%3A443","urlpath":"/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","department":"Department%5CrN%40me","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"dC5jb3Vwb25zLmNvbS9iLnBocD90cmFuc2FjdGlvbklkPUkvdHNJZD09JmV2ZW50VHlwZT1FbGVtZW50SW5WaWV3JmVsZW1lbnROYW1lPVROX1NXQiZvYmplY3RzPXsibGlua1VybCI6Imh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQiLCJsaW5rVGV4dCI6IlVwJTIwdG8lMjA3MCUlMjBPRkYlMjB8JTIwNzItSG91ciUyMENsZWFyb3V0IiwidGV4dENvbG9yIjoiI0ZGRkZGRiIsInByb21vRW5kRGF0ZSI6bnVsbCwiY3VzdG9tRmllbGQxIjoiVXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQifSZsaW5rVXJsPWh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQmbGlua1RleHQ9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmdGV4dENvbG9yPSNGRkZGRkYmcHJvbW9FbmREYXRlPSZjdXN0b21GaWVsZDE9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmcGFnZUlkPSZ0aW1lc3RhbXA9MTcyNDY4Mjc3NzE5OA==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"ZXhhbXBsZS5jb20vP3BhcnRuZXI9MjcxJnNtYXJ0bWFwPTEmcmVkaXJlY3Q9aHR0cHM6Ly9leGFtcGxlLmNvbS9zZXR1aWQ/ZW50aXR5PTE0NSZjb2RlPSVfcmlk","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 0b34939b972..8aa98a42859 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -25,7 +25,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23%3A20%3A50.52Z\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -445,7 +445,7 @@ ], "id": "123456780", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.example.com%3A443\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -863,7 +863,7 @@ ], "id": "123456781", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.example.com.com/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1282,7 +1282,7 @@ ], "id": "123456781", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.youtube.com/api/stats/abcd?afmt=251&bat=330.017%3A0.96%3A1&bh=330.017%3A121.264&bwe=330.017%3A7458601&bwm=330.017%3A2407754%3A0.844&c=WEB&cbr=Edge+Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017%3A328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1%2C23848225%2C137802%2C18617%2C204121%2C230596%2C222097%2C16229%2C133212%2C14625955%2C11684381%2C7222%2C14207%2C9859%2C12177%2C9954%2C1192%2C7913%2C18310%2C273%2C4147%2C2819%2C2%2C16344%2C1424%2C19204%2C9948%2C2196%2C9996%2C19%2C2%2C1082%2C6953%2C101%2C1401%2C9542%2C2471%2C3292%2C2716%2C1538%2C723%2C2575%2C9567%2C1375%2C3761%2C4162%2C8610%2C173%2C201%2C10406%2C321%2C148%2C2%2C343%2C1783%2C14%2C1322%2C50%2C621%2C702%2C1062%2C1769%2C1823%2C896%2C2291%2C2912%2C7568%2C342&fmt=398&ns=yt&referrer=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Disa90_67as&sdetail=rv%3Aisa89_68ad&seq=13&sourceid=yw&vps=330.017%3APL\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1701,7 +1701,7 @@ ], "id": "123456782", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"refererpath\":\"/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.example.com%3A443\",\"urlpath\":\"/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"department\":\"Department%5CrN%40me\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1736,7 +1736,7 @@ "request": { "bytes": 1300, "method": "invalid", - "referrer": "www.example.com" + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" }, "response": { "bytes": 10500 @@ -1876,7 +1876,847 @@ }, "day": "Mon", "day_of_month": 16, - "department": "Department\\rN@me", + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC12", + "name": "device\\rN@me", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2347" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456782" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.4", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-20T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "www.example.com:443" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-20T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.4" + }, + "device": { + "id": "2347", + "model": { + "identifier": "20L8S7WC12" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456782", + "kind": "event", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"dC5jb3Vwb25zLmNvbS9iLnBocD90cmFuc2FjdGlvbklkPUkvdHNJZD09JmV2ZW50VHlwZT1FbGVtZW50SW5WaWV3JmVsZW1lbnROYW1lPVROX1NXQiZvYmplY3RzPXsibGlua1VybCI6Imh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQiLCJsaW5rVGV4dCI6IlVwJTIwdG8lMjA3MCUlMjBPRkYlMjB8JTIwNzItSG91ciUyMENsZWFyb3V0IiwidGV4dENvbG9yIjoiI0ZGRkZGRiIsInByb21vRW5kRGF0ZSI6bnVsbCwiY3VzdG9tRmllbGQxIjoiVXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQifSZsaW5rVXJsPWh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQmbGlua1RleHQ9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmdGV4dENvbG9yPSNGRkZGRkYmcHJvbW9FbmREYXRlPSZjdXN0b21GaWVsZDE9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmcGFnZUlkPSZ0aW1lc3RhbXA9MTcyNDY4Mjc3NzE5OA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "device\\rN@me", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "device\\rN@me" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.4" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "t.coupons.com", + "extension": "php", + "fragment": "FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "full": "https://t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "original": "https://t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "path": "/b.php", + "query": "transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"", + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC12", + "name": "device\\rN@me", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2347" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456782" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.4", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-20T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-20T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.4" + }, + "device": { + "id": "2347", + "model": { + "identifier": "20L8S7WC12" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456782", + "kind": "event", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"ZXhhbXBsZS5jb20vP3BhcnRuZXI9MjcxJnNtYXJ0bWFwPTEmcmVkaXJlY3Q9aHR0cHM6Ly9leGFtcGxlLmNvbS9zZXR1aWQ/ZW50aXR5PTE0NSZjb2RlPSVfcmlk\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "device\\rN@me", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "device\\rN@me" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.4" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "original": "https://example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "path": "/", + "query": "partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", "device": { "appversion": "1.128.0.1", "hostname": "THINKPADSMITH", @@ -2003,8 +2843,7 @@ "redirect_policy_name": "FWD_Rule_1", "referer": { "host": "www.example.com for http://www.example.com/index.html", - "name": "www.example.com", - "path": "/search?filters=guid:\"40-en-dia\" lang:\"en\"&form=S00&q=how to use remote desktop to connect to a windows 10 pc" + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" }, "request": { "header_size": 300, @@ -2081,8 +2920,7 @@ "category_method": "Database A", "class": "Bandwidth Loss", "filter_rule_label": "URL_Filtering_2", - "name": "www.example.com:443", - "path": "/params?Id=1&ts=2006-01-02T15:04:05Z07:00&user=65792&version=10.0.19041.1266" + "name": "example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid" }, "user_agent": { "class": "Firefox", diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 581075c78fb..cdf73afde1e 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -121,6 +121,10 @@ processors: tag: urldecode_apprulelabel target_field: zscaler_zia.web.app.rule_label ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: rule.name tag: append_zscaler_zia_web_app_rule_label_into_rule_name @@ -361,6 +365,10 @@ processors: tag: urldecode_devicename target_field: zscaler_zia.web.device.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: host.hostname tag: set_host_hostname_from_web_device_name @@ -531,6 +539,10 @@ processors: tag: urldecode_filename target_field: zscaler_zia.web.file.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: file.name tag: append_zscaler_zia_web_file_name_into_file_name @@ -593,6 +605,10 @@ processors: tag: urldecode_host target_field: zscaler_zia.web.host ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: destination.domain tag: set_destination_domain_from_web_host @@ -634,16 +650,19 @@ processors: tag: urldecode_location target_field: zscaler_zia.web.location ignore_missing: true - - urldecode: - field: json.department - tag: urldecode_department - target_field: zscaler_zia.web.department - ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - urldecode: field: json.login tag: urldecode_login target_field: zscaler_zia.web.login ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: user.email tag: set_user_email_from_web_login @@ -723,6 +742,10 @@ processors: tag: urldecode_mobappname target_field: zscaler_zia.web.mobile.application.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.mobdevtype tag: rename_mobdevtype @@ -902,16 +925,21 @@ processors: tag: urldecode_refererhost target_field: zscaler_zia.web.referer.host ignore_missing: true - - urldecode: - field: json.refererurl - tag: urldecode_refererurl - target_field: zscaler_zia.web.referer.name - ignore_missing: true - - urldecode: - field: json.refererpath - tag: urldecode_refererpath - target_field: zscaler_zia.web.referer.path - ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Decode referer + tag: decode_b64referer + lang: painless + if: ctx.json?.b64referer != null && ctx.json.b64referer != '' + source: ctx.json.referer = ctx.json.b64referer.decodeBase64(); + - set: + field: zscaler_zia.web.referer.name + tag: set_web_referer_name_from_referer + copy_from: json.referer + ignore_empty_value: true - set: field: http.request.referrer tag: set_http_request_referrer_from_web_referer_name @@ -1045,6 +1073,10 @@ processors: tag: urldecode_rulelabel target_field: zscaler_zia.web.rule.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: rule.name tag: append_zscaler_zia_web_rule_name_into_rule_name @@ -1279,6 +1311,10 @@ processors: tag: urldecode_upload_filename target_field: zscaler_zia.web.upload.file.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: file.name tag: append_zscaler_zia_web_upload_file_name_into_file_name @@ -1326,27 +1362,32 @@ processors: tag: urldecode_urlfilterrulelabel target_field: zscaler_zia.web.url.filter_rule_label ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: rule.name tag: append_zscaler_zia_web_url_filter_rule_label_into_rule_name value: '{{{zscaler_zia.web.url.filter_rule_label}}}' allow_duplicates: false if: ctx.zscaler_zia?.web?.url?.filter_rule_label != null - - urldecode: - field: json.eurl - target_field: json.eurl - tag: urldecode_eurl - ignore_missing: true + - script: + description: Decode url + tag: decode_b64url + lang: painless + if: ctx.json?.b64url != null && ctx.json.b64url != '' + source: ctx.json.url = ctx.json.b64url.decodeBase64(); - set: field: zscaler_zia.web.url.name tag: set_web_url_name - copy_from: json.eurl + copy_from: json.url ignore_empty_value: true - script: description: Build URI for parsing. tag: Build URI for parsing lang: painless - if: ctx.network?.protocol != null && ctx.json?.eurl != null + if: ctx.network?.protocol != null && ctx.json?.url != null params: valid_protocols: - http @@ -1355,9 +1396,9 @@ processors: source: | // Remap network.protocol to a valid value, if necessary. if (params.valid_protocols.contains(ctx.network.protocol)) { - ctx.json['url'] = ctx.network.protocol + '://' + ctx.json.eurl; + ctx.json['url'] = ctx.network.protocol + '://' + ctx.json.url; } else { - ctx.json['url'] = params.default_protocol + '://' + ctx.json.eurl; + ctx.json['url'] = params.default_protocol + '://' + ctx.json.url; } - uri_parts: field: json.url @@ -1365,26 +1406,12 @@ processors: on_failure: - set: field: url.original - value: '{{{json.eurl}}}' - if: ctx.json?.eurl != null && ctx.json.eurl != '' + value: '{{{json.url}}}' + if: ctx.json?.url != null && ctx.json.url != '' - set: field: url.full value: '{{{url.original}}}' if: ctx.url?.original != null && ctx.url.original != '' - - urldecode: - field: url.original - ignore_missing: true - tag: urldecode_url_original - if: ctx.url?.original != null && ctx.url.original != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - urldecode: - field: json.urlpath - target_field: zscaler_zia.web.url.path - tag: urldecode_urlpath - ignore_missing: true - rename: field: json.useragentclass tag: rename_useragentclass @@ -1420,6 +1447,10 @@ processors: tag: urldecode_userlocationname target_field: zscaler_zia.web.user_location_name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.year tag: convert_year_to_long diff --git a/packages/zscaler_zia/data_stream/web/fields/fields.yml b/packages/zscaler_zia/data_stream/web/fields/fields.yml index e6d76b2b3b8..50d3e086fe3 100644 --- a/packages/zscaler_zia/data_stream/web/fields/fields.yml +++ b/packages/zscaler_zia/data_stream/web/fields/fields.yml @@ -406,9 +406,6 @@ - name: name type: keyword description: The HTTP referer URL. - - name: path - type: keyword - description: The HTTP referer path. - name: request type: group fields: @@ -592,9 +589,6 @@ - name: name type: keyword description: The destination URL. - - name: path - type: keyword - description: The destination URL path. - name: user_agent type: group fields: diff --git a/packages/zscaler_zia/data_stream/web/sample_event.json b/packages/zscaler_zia/data_stream/web/sample_event.json index 45990d0664c..9d9b704d325 100644 --- a/packages/zscaler_zia/data_stream/web/sample_event.json +++ b/packages/zscaler_zia/data_stream/web/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2021-12-31T08:08:08.000Z", "agent": { - "ephemeral_id": "f97a3a33-4778-4f8f-a98e-42c9d5997a3b", - "id": "3afa5c75-c6e3-41a8-a773-ff6a6356f7b1", - "name": "docker-fleet-agent", + "ephemeral_id": "afba03f3-0a10-4b56-998d-0fd4aa4e71ea", + "id": "6df0d50c-dafe-4616-9ed1-10519bfbda98", + "name": "elastic-agent-86843", "type": "filebeat", - "version": "8.14.3" + "version": "8.15.0" }, "data_stream": { "dataset": "zscaler_zia.web", - "namespace": "98923", + "namespace": "65605", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "3afa5c75-c6e3-41a8-a773-ff6a6356f7b1", + "id": "6df0d50c-dafe-4616-9ed1-10519bfbda98", "snapshot": false, - "version": "8.14.3" + "version": "8.15.0" }, "event": { "action": "blocked", @@ -27,7 +27,7 @@ "web" ], "dataset": "zscaler_zia.web", - "ingested": "2024-07-17T11:07:47Z", + "ingested": "2024-08-22T16:05:37Z", "kind": "event", "timezone": "UTC", "type": [ diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index f1b760dfd08..c7179fbe9f8 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -214,14 +214,14 @@ Sample Response: ![Escape feed setup image](../img/escape_feed.png?raw=true) See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-web-logs) -Zscaler Web Log response format (v7): +Zscaler Web Log response format (v9): ``` -\{"sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","refererurl":"%s{ereferer}","refererpath":"%s{erefererpath}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","eurl":"%s{eurl}","urlpath":"%s{eurlpath}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","department":"%s{edepartment}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"version":"v9","sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","b64referer":"%s{b64referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","b64url":"%s{b64url}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","refererpath":"/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com/index","urlpath":"/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","department":"Department%5CrN%40me","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQ6IjQwLWVuLWRpYSIgbGFuZzoiZW4iJmZvcm09UzAwJnE9aG93IHRvIHVzZSByZW1vdGUgZGVza3RvcCB0byBjb25uZWN0IHRvIGEgd2luZG93cyAxMCBwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL3BhcmFtcz9JZD0xJnRzPTIwMDYtMDEtMDJUMTU6MDQ6MDVaMDc6MDAmdXNlcj02NTc5MiZ2ZXJzaW9uPTEwLjAuMTkwNDEuMTI2Ng==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} ``` ### Enabling the integration in Elastic: @@ -1572,24 +1572,24 @@ An example event for `web` looks as following: { "@timestamp": "2021-12-31T08:08:08.000Z", "agent": { - "ephemeral_id": "f97a3a33-4778-4f8f-a98e-42c9d5997a3b", - "id": "3afa5c75-c6e3-41a8-a773-ff6a6356f7b1", - "name": "docker-fleet-agent", + "ephemeral_id": "afba03f3-0a10-4b56-998d-0fd4aa4e71ea", + "id": "6df0d50c-dafe-4616-9ed1-10519bfbda98", + "name": "elastic-agent-86843", "type": "filebeat", - "version": "8.14.3" + "version": "8.15.0" }, "data_stream": { "dataset": "zscaler_zia.web", - "namespace": "98923", + "namespace": "65605", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "3afa5c75-c6e3-41a8-a773-ff6a6356f7b1", + "id": "6df0d50c-dafe-4616-9ed1-10519bfbda98", "snapshot": false, - "version": "8.14.3" + "version": "8.15.0" }, "event": { "action": "blocked", @@ -1598,7 +1598,7 @@ An example event for `web` looks as following: "web" ], "dataset": "zscaler_zia.web", - "ingested": "2024-07-17T11:07:47Z", + "ingested": "2024-08-22T16:05:37Z", "kind": "event", "timezone": "UTC", "type": [ @@ -1794,7 +1794,6 @@ An example event for `web` looks as following: | zscaler_zia.web.redirect_policy_name | The name of the redirect/forwarding policy. | keyword | | zscaler_zia.web.referer.host | The hostname of the referer URL. | keyword | | zscaler_zia.web.referer.name | The HTTP referer URL. | keyword | -| zscaler_zia.web.referer.path | The HTTP referer path. | keyword | | zscaler_zia.web.request.header_size | The size of the HTTP request header in bytes. | long | | zscaler_zia.web.request.method | The HTTP request method. | keyword | | zscaler_zia.web.request.payload | The size of the HTTP request payload. | long | @@ -1840,7 +1839,6 @@ An example event for `web` looks as following: | zscaler_zia.web.url.class | The class of the destination URL. | keyword | | zscaler_zia.web.url.filter_rule_label | The name of the rule that was applied to the URL filter. | keyword | | zscaler_zia.web.url.name | The destination URL. | keyword | -| zscaler_zia.web.url.path | The destination URL path. | keyword | | zscaler_zia.web.user_agent.class | The user agent class. | keyword | | zscaler_zia.web.user_agent.name | The full user agent string for both known and unknown agents. | keyword | | zscaler_zia.web.user_agent.token | The user agent token. | keyword | diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index 0cce671077b..814cf24c8db 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: zscaler_zia title: Zscaler Internet Access -version: "3.2.0" +version: "3.2.3" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration categories: